What is our primary use case?
My organization is in the financial services industry and the majority of services that we offer are financial services centric. We operate or support almost every industry in the marketplace. We restore processes and transmit highly sensitive information. Sometimes that information is premarket. Other times that information is personally identifiable information, personal health information, etc. It is dependent upon our client's requirements. Security is cornerstone in all that we do. It's in our DNA, as we would like to say internally. Being in a position to understand when we are at risk of a cyber attack is paramount.
We have a strong desire to understand who did what, where, when, and why internally. empow's near real-time, high fidelity, security monitoring capabilities are our primary use case. Other use cases revolve around:
- Gaining as much insight from a threat intelligence perspective, being able to correlate that back to an alarm, and doing so in an automated fashion.
- The automated mitigation capability.
- The general reporting and analytics within the platform.
How has it helped my organization?
We have a significantly higher confidence in our ability to automate mitigations. We've had technologies across SOAR and cyber threat intelligence integrated into our platforms for over four years now. We would like to tell ourselves that we're reasonably experienced with both of those technology categories.
One of the most impressive accomplishments that we were able to showcase internally was building metrics around the fidelity of our playbooks when they're executed. We have a high degree of confidence that we have the right playbooks in place. It's also worth mentioning that we're a global organization. We are corporate focused, primarily, not consumer focused. We know where our clients are from a geographic perspective, as an example, but our clients travel. We want to be hyperconservative on those mitigation techniques as to not adversely affect the client experience with our product lines. I was quite surprised, even though we took a very conservative approach initially, the degree of accuracy and percentages of false positive were almost zero when the mitigation playbooks were involved. The enablement of automated mitigations that the empow product line has provided us with is incredibly impressive.
One of the most impressive capabilities of the empow product line to our security analyst team is just how little maintenance is required to ensure that we are focusing on the right threats. The correlation rules themselves require effectively little to no maintenance from a client perspective, which is tremendous. This is leaps forward compared to other product lines and SIEMs over the last 10 years.
Correlation rules maintenance has been one of the most time consuming bodies of work required. It is one of the areas where we had a higher degree of risk of focusing in the wrong areas. We spent an enormous amount of time being hyperfocused on ensuring that we have the right correlation rules in place, the fidelity of those rules was sound, etc. We just can't begin to mention how pleased we are that, for the most part, this is no longer something we have to be concerned about.
The power of the AI and the natural language processing capability is best measured by the outputs. The fidelity of the alarms that we receive is just night and day compared to SIEM platforms and other platforms we've used in the past. I also feel it is a leading reason (major theme) why our overall alarm volume is significantly lower, because we deal with far less alert fatigue. We are dealing with a lot less false positives as a direct result of the AI and NLP capabilities.
Our overall false positive rates are significantly fewer. It's definitely removed about 60 percent of the total volume of alarms that we have needed to respond to each month over the last year. Also, it's worth mentioning that we spent considerable amounts of time in years' past focusing on managing correlation rules, ensuring that we have the right prioritization applied to those rules, that the rules were accounted for, or they took into account our technology deployments, such as a general shift in our portfolio, adding/removing devices, retiring products and services, and adding new innovative solutions for our customers. This was to the extent that we had a 90-minute session twice a month with a partner of ours dedicated just to that session. Today, we don't have any meetings per month. We're focused on correlation rules as a direct result of our transition to empow.
Their ability to focus on an event with a high degree of fidelity really drives our level of confidence. Therefore, we are quick to respond with a high degree of urgency when we do receive an alarm because we recognize that there is a very high probability that the alarm is accurate and the fidelity is very high. This enables us to focus on other areas throughout the day. However, once we do receive an alarm from empow, we recognize it's something that needs to be responded to with a high degree of urgency.
The integration between Elastic and empow has been quite impressive for a couple of reasons:
- We're a prime example of an organization who must have a high degree of flexibility in our deployments. We have full cloud-native deployments of products and corporate systems. We have on-prem deployments of both. Our cloud deployments span many cloud providers. Therefore, I need to be able to orchestrate and scale up and down my footprint, depending on geography, cloud providers, the tempos of the business relative to lifecycles with some of our products, and so on and so forth. Having a lot of leverage to pull on Elasticsearch has proven to be very attractive to us for supporting our set of requirements and flexibility.
- They play a big role in making it incredibly easy to plug into other security tools, network platforms, and application platforms, whether they are internally developed or commercial offerings. The API model that the empow product provides has simplified the integration of almost any technology into their product lines.
empow has impacted our network security posture in a truly dramatic way, particularly in that we have a higher confidence when we are responding to an event that it is actionable and we should be concerned about. Secondly, it has positively impacted our network security posture by way of automated mitigations defined within the system. The playbooks that we define and can take a conservative approach to, they help us avoid any negative impact to our clients. The accuracy of those playbooks define the automated mitigations, and we have tremendous amount of confidence in them. Those playbooks are triggered daily and that reduces risk. They reduce the amount of time spent to contain and mitigate them. Overall, from a security perspective, there have been quite dramatic steps forward.
It also directly supports our compliance programs. We're very easily able to measure when we have events and what actions were taken because the vast majority of them are addressed through automation.
I had worked using empow with a previous organization, but our requirements were very different. We are definitely enterprise-focused, but we are also corporate user-focused. Our client community is primarily that of mid to large enterprise organizations across the globe. How well a product organization in the services team responds to support calls is critically important. I give empow a lot of very high marks. The responsiveness has been very high, but more important than the responsiveness is the quality and accuracy of their recommended next steps to resolve whatever issue we may have.
What is most valuable?
- The automated mitigation capability.
- A next generation capability of attack replay, where it walks back from the event, historically, to provide that visualized representation of the attack lifecycle.
- The ability to rapidly deploy a comprehensive coverage tool without the need to spend months of planning for a deployment with emphasis placed on correlation rules. The ability to put aside the need for a high number of correlation rules is extremely advantageous to us, as it saves time and money, drives fidelity, and scores higher. It's just a fantastic capability.
When I think about the quality of the dashboard, it's one of the features that is just fantastic to speak about. They designed a dashboard where I can get a quick snapshot with a broad lens over the last seven to 10 days that dives specifically into areas which are a bit of concern. Also, from a SOC analyst perspective, there are many levels within a SOC organization, so whether they are entry level or a new hire, they can find that right altitude of interest relative to the depth of detail that's being presented. The flexibility of the dashboard to quickly drill up or down into an altitude of your choosing is fantastic.
Also, being able to pivot around between various data sets, whether it be:
- Threat intelligence centric data
- Alarm data
- A specific asset
- Elevating it to a solution level
- Elevating it to an entity level
The degree of flexibility and speed in which you can change your view is very impressive. Oftentimes, with some of the more legacy SIEMs which have been in market for a long time, that was one of the major pain points: It took time to refresh views. The limitations of that flexibility was frustrating.
The platform has made mitigation faster primarily by way of the playbooks we defined (automated mitigation). We have a number of playbooks defined where our empow platform signals directly to the firewall to block traffic. For example, we have no customers in North Korea. Anytime we see an interrogation of our products or our assets from there, then we signal to the firewall to drop that traffic systematically when there's time. It is not some form of mean time to respond to an event, but really time relative to our analyst focusing more in other areas.
What needs improvement?
empow has a few areas of improvement as with any other technology, such as continuing to drive innovation in the dashboard. While we've been extremely impressed with the dashboard's ease of use, flexibility, ability to drill down deeply, and focus very intently on an area of interest, there will always be opportunities to be more innovative and open it up to a wider audience than just the operations group, for example.
With reporting, there is always a desire to have custom reporting for every client of empow.
Relative to keeping up with the sheer pace of cloud-native technologies, it should provide more options for clients to deploy their technologies in unique ways. This is an area that I recommend that they maintain focus.
For how long have I used the solution?
I've been using the empow i-SIEM platform for a total of four years across two companies, but for two years in my current company.
What do I think about the stability of the solution?
Someone knock on some wood here if you would, but we haven't had any stability challenges yet. That is directly attributable to the architecture that we've put in place for empow and other solutions that we deploy. We plan for highly available solutions across each deployment site, or per data center, making geo-redundancies available. So far so good, we have not had any significant operational hiccups with the platform.
We have one dedicated resource who is accountable for ensuring that the empow environment is healthy, so one from a maintaining perspective. We have a team of threat analysts on staff. We have a third-party managed security services partnership in place as well. There's definitely one FTE whose primary role is to ensure that the empow platform is up and running, healthy, and satisfying the needs of our internal clients, which would be our team of cyber threat analysts.
What do I think about the scalability of the solution?
The scalability of empow is endless. I feel that they have an architecture that is highly scalable. It's been proven for on-prem, cloud, and hybrid environments. We presently have a hybrid environment. I suspect they can scale to almost any size needed. The question will be as to what are the unique needs of the organization where they've been deployed and what is their appetite for investing to ensure resiliency either locally, regionally, or globally. Those things play a role in how quickly and complex the architecture must be in order to scale.
It is the standard for security operations. Anywhere my organization deploys technology assets, empow will be providing coverage, if not already.
The ability for empow to be managed by a single analyst depends on the organization. I don't need a team of 20 to 25 analysts any longer. It's significantly fewer than that. To quantify one analyst really depends on the organization and what is their threshold for risk? That's unique to every organization. What is the size of the organization from a technology perspective: Are you dealing with hundreds or tens of thousands of servers? That will be indicative of your resource needs. It takes essentially one, maybe two, resources regardless of your size to directly support the care, feeding, capacity management, and monitoring of the empow platform. The simplicity of the architecture is remarkably impressive.
How are customer service and technical support?
The partnership between empow and Elasticsearch has a very positive impact on us from a couple of different angles:
- Support. There's one throat to choke. We pick up the phone, we reach out to the empow team, and we have one point of contact, whether we're experiencing an application issue, a data issue, etc. It just simplifies the overall management.
- The licensing negotiation through one organization is more simplified. As it relates to preparing for major upgrades, it makes our lives quite a bit easier when there are fewer parties that we have to interface with.
The partnership between empow and Elastic has a few of key benefits:
- The simplification and how we have one point of contact for support regardless of what the issue type is. If we're experiencing a concern relative to the application, UI, reporting engines, etc., we have one phone number to call and one lead engineer to reach out to who takes ownership relative to determining if it's an internal empow matter, or if we need to reach out across the boundaries over to Elastic.
- How it relates to our planning for upgrades or expansion of the environment for capacity management purposes, whatever the issue may be. Having that simplified licensing arrangement makes my life easier. As we have one agreement, we have one pricing scheme to work from. It's just really good, which keeps it nice and simple for maintaining the business.
- As we look forward to future product lines and other architectural endeavors, having a single point of contact for planning purposes simplifies the process quite a bit as we look to year two and three.
Which solution did I use previously and why did I switch?
It is worth mentioning we were able to retire two other platforms as part of our migration over to empow. We retired a legacy SIEM deployment that we had in place for nearly four years. While it is a great product, I just felt that empow demonstrated more innovation at a lower cost point with a simpler architecture that's more extensible and easier to scale. We were able to retire the SIEM that we had in place for three and a half years, as well as our SOAR platform. We continue to use our existing cyber threat intelligence (CTI) platform, but there is an overlap with the capabilities across empow. However, we still see value in that CTI platform, so we retired the SOAR and our legacy SIEM.
We needed to make a change in large part because the cost of scaling was becoming quite concerning. Also, we went through a series of upgrades a little over a year ago there were problematic. So, anytime we experience something that is impactful we now want to pause and reflect back what we did well, what our opportunities were, and did we miss any opportunities to avoid that situation from being realized. We used the outcomes of those reflections to revisit the market and made the decision to really pursue empow as our leading solution for security operations.
empow has significantly been able to reduce the time that we spend on just maintaining the platform, particularly as compared to other product lines that we've previously invested in. The biggest advantage in this regard would be the lack of time spent on managing the correlation rules. The simplified architecture allows us to really lean upon empow's support teams to effectively provide almost end-to-end support of the underlying infrastructure that comprises the platform.
How was the initial setup?
There was complexity to the initial deployment in so much that we were migrating from an existing, fairly sizable deployment, if not a product line. There were a couple of different solutions in place which comprised our overall enterprise security monitoring solution. We had the SIEM, our SOAR platform, a cyber intelligence interface from a number of different feeds, etc.
The initial deployment took a couple of weeks and most of it was planning. The actual technical activities were executed quite quickly. Of course, there was the migration of the primary existing data storage that we needed to migrate from our old SIEM environment, but there was also the body of work to redirect log streams and other ingestion of data from our several thousand devices (north of 5,000 devices) for production alone, which takes time. Our primary migrate deployment was a couple of weeks. Most of that would be in planning. The primary migration of the existing data storage took about 14 days to go through three or four different change windows to make sure that it was complete and to wrap up some other activities. Then, the effort to redirect all the various log streams into the empow environment away from a multitiered architecture to a single destination IP address, just a single collector across the environments, took approximately two months. That was more to ensure that we understood the risks associated with change management collisions and we were hyperfocused on never losing a log throughout those migrations.
What about the implementation team?
There was some complexity that several of my teams and the empow team needed to walk through to make sure we mutually understood the goal and technical requirements. There were some business requirements and relative reporting that we wanted to make sure we were all aligned to. While there was complexities, I also would give empow very favorable feedback as it relates to them taking a sense of ownership to the migration and the overall deployment of their technology. They really looked out for us. There were a number of times that they cautioned me to make some minor adjustments in the plan to ensure that they weren't disruptive to our business for which I'm very appreciative.
Our overall implementation strategy was bringing both empow and representatives from my teams together to build a plan. We established a few key milestones and aligned those milestones relative to availability of resources on both sides. This ensured we really understood what we were trying to accomplish, not just from an architecture perspective, but also, e.g., taking into account key business timelines that we needed to be mindful of and where we just didn't have an appetite for some major change management activities to occur. We each brought project management resources, a lead architect, and a threat analyst to the table to ensure that we understood each of those perspectives to really comprise that team and ensure that they were set up for success. I would estimate the total team makeup, excluding myself, would be six: two from empow and four from my team.
What was our ROI?
We are saving so much time. We deal with billions of events a month. We are definitely a data-centric organization. Easily, we are able to save 75 percent of the head count for security operations that would otherwise be needed given our scale. Now, we are in a bit of a unique situation where the organization spun off from its parent company just shy of four years ago. So, we are still in a growth mode in many respects. While we are still continuing to expand our security organization from an FTE and head count perspective, it's very easy to quantify without empow we would be looking at seven to 10 more resources being required. This is opposed to the one or two who are focused on the platform today, where focused on the platform includes capacity management, general system administration of the environment, and monitoring/responding to alarms that are generated.
As a result of the automation, we are able to manage SIEM with a small security team. I'm in a unique position where we have been growing the security organization quite rapidly over the last three and a half years. But, as a direct result of the empow transition and legacy collection of tools towards the empow platform, we've been able to keep that head count flat. We've been able to redirect a lot of the security team's time away from the wash, rinse, repeat activities of responding to alarms where we have a high degree of confidence that they will be false positives, adjusting the rules accordingly. This can be a bit frustrating for the analyst when they have to spend hours a day dealing with these types of probable false positives. So, it has helped not only us keep our headcount flat relative to the resources necessary to provide the assurances that our executives expect of us for monitoring, but allows our analyst team to spend the majority of their time doing what they love. They are spending their time meaningfully with a higher degree of confidence and enjoying getting into the incident response type activity.
North of 75 percent of our time has been reduced relative to the support in the environment, starting from the general system administration, capacity management, the overall patching, and system admin of the ecosystem. Most notably would be on the time to maintain the application tier of empow, particularly that of the correlation rules. That has been reduced by north of 90 percent as compared to other platforms.
Mitigation time has been reduced by north of 75 percent for the vast majority of alarms that we receive. This varies depending on the event type. However, with the automated playbooks that we have defined and the confidence levels in the fidelity alarms, we have been able to enjoy significant reduction in our mean time to mitigate and mean time to respond.
As we have more alarms as a result of having more logs adjusted, this means we need more analysts to respond to those alarms in order for us to meet our SLAs because we have very aggressive SLAs. With a higher degree of fidelity in the alarms, we were able to avoid adding additional resources to our teams. We take into account the cost of security resources in the market and the significantly higher fidelity from the alarms that are being generated. This drove down our costs with our MSSP. It drove down my cost for human capital internally. It drove down our need to have multiple resources supporting the underlying infrastructure and health and maintenance of empow as a platform from several resources down to one. Therefore, human capital costs were significantly reduced. Our operating expenses were significantly reduced. Our capital costs were significantly reduced while tripling our capacity and our run rate reduced. It was almost a "too good to be true" situation. Fortunately, for us, it worked out very nicely.
What's my experience with pricing, setup cost, and licensing?
We were looking at a seven figure investment being necessary to sustain our growth projections for our log ingestion requirements, just for production. We had a goal of ensuring that we understood who did what, where, when, and why across all assets, production, staging, development, field devices, laptops, iPads, etc. Not only were we able to avoid all those costs relative to growth, from a point in time forward, the cost structure of empow (as compared to both existing tools) was cheaper for us to migrate then it was to sustain on our legacy platforms. When it's cheaper to migrate, that's very attractive.
I don't have to put up with any longer with these hypercomplex licensing agreements. Every time I want to add some additional reporting as a compliance centric or regulatory specific, e.g., GDPR, PCI, or Sarbanes-Oxley, many providers would have an additional license for this, which felt a bit ridiculous to me. With the simplified licensing architecture, there were no hidden "gotchas" down the road with empow. Something I have experienced with other providers that I've worked with in the past.
As it relates to the SOAR side of the toolkit, there was no need to purchase an independent SOAR platform. The innovation that empow brings to the market just addressed all those use cases natively. We were able to just completely retire that toolkit out of our environment.
Which other solutions did I evaluate?
As we do with almost every technology selection, we looked at the markets. For this particular technology stack, there were five or six different players who we looked at intently. Then, as with most organizations, we took the broader view. We narrowed it down to two or three finalists who went into a formalized proof of concept lab environment, which runs for an extended period of time for something so critical as a SIEM or SOAR, which are the primary reporting capabilities for security purposes. We had an extended evaluation and followed that crawl, walk, run model relative to our rollout. In hindsight, it was a very structured, formalized process. What was interesting, the business case was very simple because of the cost savings from just the cost avoidance. As we look forward in our plans and the need to scale up, it more than covered the cost of transitioning in our entirety over to the empow platform.
Some of the other SIEM providers that we looked at when we revisited the market would include LogRhythm, Splunk, and empow to name a few. A pro of empow would be the simplified licensing model. Both my organizations have had feedback over the years from many clients that's an area of concern, particularly with Splunk. Also, the simplified architecture particularly leveraging the Elasticsearch technologies really prevents the need to have a complex architecture with high power CPUs in place across each of your footprints where you have log collectors deployed. That was a major value add and very attractive to us.
We evaluate the partnership between empow and Elastic from a couple of different dimensions. First and foremost, what was our experience like as we were negotiating? Was empow in a position to adequately represent both the business terms for Elastic, support terms, and other commitments that we needed to work through. The answer was yes. It felt very seamless to us. Secondly, the simplicity of the licensing model just made the process of acquiring technologies so much simpler and straightforward than what we experienced in previous relationships.
The decision to partner with Elastic for that strategic partnership to be in place wasn't a Tier 1 criteria for us. However, what was a criteria for us was the outcome and capabilities which the partnership has resulted in, e.g., the speed to rapidly scale up, the ease of scaling down, and the ease of migrating a primary on-prem data center strategy to a hybrid 50/50 cloud on-prem strategy with long-term plans for pursuing cloud far more aggressively. As we need to pull the levers to keep up with the demands of our business, we wanted to have comfort that it would not be a disruptive series of changes as related to the SIEM and we wouldn't have to go back and re-architect, then buy additional licenses for new features and functionalities. We wanted to avoid that complex license structure. We want to have confidence in our ability to scale up and down and migrate from across multiple feeders as our business needs warranted. empow has done a great job in supporting us in that regard.
What other advice do I have?
If I was to rate empow on a scale of one to 10, I would give them a nine and a half, probably. Why it's so high is that there's no competitors on the market in my mind that has transformed the SIEM industry as much as empow. The speed is impressive in which they continue to innovate. Every couple of months, we're excited to learn about the latest and greatest capabilities of the platform. Most of the latest innovations have been centered around their automation capabilities. It's had such a tremendous impact on my organization. They tend to focus on what matters. It has given us high confidence that where we are spending our time is worth doing so. The alert fatigue and false positive rates have just plummeted, which is really exciting. They have transformed the industry, which no one would have expected not that long ago.
I'd like to give them a bit of a shout out for when they have given me commitments around enhancements, such as enhancing their reporting capabilities, some minor adjustments to the dashboard, and those types of feature requests, they've met those commitments as it relates to quality and timeline.
empow, without a doubt, is the most important monitoring tool that we have at our disposal. From a monitoring and incident response perspective, empow is the most valuable asset we have in our toolkit.
The biggest lesson I've learned from using empow would be just how far technology has come. It surprised me relative to the orchestration of the automation of our mitigations. That one was quite surprising. The accuracy and the level of confidence I have in the playbooks surprises me at how high it is, because it's quite high. Another area that surprised me would be the level of confidence that we have now in our ability to scale up and down, as scaling down sometimes can be equally as tricky.
The advice that I would give to anyone looking at empow would be primarily ensure that your planning is sound. When I think about our experiences with empow, it's refreshing to think back about how easy that journey was with such a difficult technology stack. Not only was it surprisingly simple, it should not have been since not long ago we were not standing up a deployment of a net new sandbox environment where we were needing to build and deploy, then migrate, a very sizeable deployment to this new ecosystem. Inevitably, we expected there to be some bumps along the road, but there were very few. I attribute this back to the quality of planning and reliability of the technology that empow brings to the table. Therefore, my advice would be ensure that your planning is sound. While it's exciting to know that the technology is very stable and the integrations are very straightforward with API driven integrations, they never can really take into full account the uniqueness of your business. Thus, planning is absolutely paramount.
Which deployment model are you using for this solution?