BACKGROUND
Clumio provides a data protection service that helps the world’s leading enterprises automate the protection and recovery of critical data in applications, data lakes, and other data services on AWS. The company’s SaaS-based platform ensures data resiliency against ransomware attacks, account compromises, and data loss. Its innovative backup and recovery solution helps organizations streamline data compliance and strengthen their disaster recovery strategy, making it a perfect complement to Hunters customers seeking to round out a comprehensive security posture.
As an organization that is focused on protecting customer data, Clumio’s SOC team is no stranger to the importance of secure and efficient threat detection and investigations. While their previous process of manually investigating the alerts from their security stack was effective in the short term, the team needed a solution that would take their security posture to the next level as Clumio continued to grow and scale rapidly.
CHALLENGE
- Clumio’s small, highly skilled security operations team was relying on alerts generated by the various security tools in their stack to catch and respond to events in time.
- Constant context switching and manual correlation between security tools had become tedious and burdensome.
- The team knew they needed a security partner to facilitate efficient and effective incident investigations.
SOLUTION
- After acquiring Hunters SOC Platform and Snowflake through the AWS Marketplace, Clumio’s team now has a single pane of glass for their threat detection and investigation efforts
- The platform's cross-data source correlation capabilities automatically link telemetry from various data sources giving them full visibility into events occurring across their entire environment
- Clumio saw immediate value in their Hunters deployment when they were comparing alerts from Hunters to what was being surfaced in their existing security stack
IMMEDIATE VALUE
Hunters showed immediate value to Clumio when it surfaced and alerted on unexpected activity on an endpoint. Using Hunters’ cross-data source correlation, data from Google Workspace and Okta was stitched together to generate profiles for all users, which included login information. When a low-fidelity threat signal was detected from an endpoint using raw event logs from their EDR tool, it was automatically linked with events from other security tools.
Individually, none of the detected events raised an alert, but the behavior detected from multiple alerts and correlated together, created an alert that warranted further investigation.
INVESTIGATING THE INCIDENT
The investigation showed that the activity was inconsistent with expected activity and Clumio's security team verified that it was not intentional. Clumio was able to further investigate and proactively categorize the incident with efficiency.
Hunters’ quick detection of the event and intuitive Attack Stories allowed Clumio’s security team to quickly understand the full context of the activity, and ultimately respond much faster and more effectively than ever before.
“Hunters’ aggregation and analysis platform was able to make a very compelling argument from these pieces of insight - that this event was worth looking at, based on activity alone, and not through pre-programmed profiles or rules - to 'see' what others had missed.”
Michael Pepin
Sr. Security Analyst