How Kudelski Security Reduced Alert Fatigue and Sped Investigations
- Oct 17, 2024
- By Molly Conway
- 4 minutes to read
This blog is the third in a series looking at how companies are using Hunters and Snowflake to adopt a security data lake and implement a modern SIEM. Learn how PennyMac and Xactly are using a security data lake.
Previously for analysts at Kudelski Security, a leading MSSP, investigating a security incident for a client wasn’t a totally straightforward process. It required a fair amount of pivoting between the SIEM Kudelski Security used and the security tools that contained data that wasn’t in the SIEM. With fast time to detection and remediation being critical in an incident, this approach lengthened that process.
“They'll do some investigating in a SIEM and then they'd have to pivot to another tool like an EDR to finalize their investigation. This expanded out the time to detect and time to remediate,” said Michael Sanders, Senior Security Solutions Architect at Kudelski Security, at the 2024 Snowflake Summit.
The reason for this pivoting? The legacy SIEM Kudelski Security used wasn’t cost effective, forcing customers to balance the data they need ingested into the SIEM with what the budget allowed, a common issue faced by both MSSPs and companies.
Ineffective cost wasn’t Kudelski Security’s only issue with legacy SIEMs. The engineering “wasn’t keeping up” with their customers’ needs, Sanders said. Alert investigation was a highly manual process, creating more work for already taxed analysts, and scaling to handle increasing data volumes was challenging.
Creating a modern MDR service anchored by a security data lake
To provide customers with a more cost effective solution, Kudelski Security began using Hunters and Snowflake to create a modern SIEM that underpins its MDR service.
“The old concept of what a SIEM is, how it operates, it’s dying. We’re moving to having a detection and correlation tool like Hunters running on top of an enterprise-class data lake like Snowflake,” Sanders said.
Another feature of traditional SIEMs that wasn’t keeping up with needs of Kudelski’s SOC: alert investigation. Traditional SIEMs require analysts to investigate each alert individually, creating a massive queue. Hunters intelligently clusters alerts for the same bad actor attack based on threat context (who, where, what), to allow analysts to triage, validate, and investigate multiple alerts at once, which greatly increases Kudelski’s analyst efficiency.
“We're now looking at three, four or five alerts at once. Hunters makes us much more efficient at being able to deal with alert fatigue,” Sanders said.
How rethinking their SIEM benefits Kudelski Security’s customers
Kudelski Security’s analysts have also become more efficient at investigating an incident. Since they can offer their customers a more effective, scalable way to store data by using Snowflake, they’re able to store more data in one place and decrease the need for analysts to pivot between tools.
“By sending their data to Snowflake, we've seen an increase in the cybersecurity posture of our clients. We can now show greater coverage of the threat actors and their techniques being used to target our clients because we have the data needed for their bad actor activities. And our analysts can stay within a single pane to conduct their investigation, saving them time,” Sanders said.
“We have been at this process with Hunters and Snowflake for about 18 months and I'm surprised at how effective it’s been and how much money we're able to save. We passed the vast majority of that on to the clients because it makes us much more competitive with the other service providers.”
Why other companies are moving to Next-Generation SIEMs
Kudelski Security isn’t alone in re-thinking its approach to SIEM. Yext, a SaaS company that offers a digital presence platform, needed a SIEM that allowed them to develop alerts specific to Yext’s environment. A SIEM that only provided standard alerts on what a company typically looks for would generate too much noise, said Philip Ayoud, application security engineer, Yext.
The company found what they needed in Hunters.
“We use Hunters as our SIEM. Hunters really allows us to tailor fit our alerts to Yext. We take our unique software stack and the data it generates and pipe that into Hunters. This has been instrumental in modernizing our program and reducing noise. And in the security game, it’s always about reducing noise,” he said.
At PennyMac, taking a best-of-breed approach to their security stack allowed them to pick the SIEM they wanted. The mortgage provider went with Hunters and Snowflake, giving them a SIEM that, in addition to giving the mortgage provider greater cost transparency, helps with cybersecurity talent shortage.
“Legacy SIEM platforms often use proprietary technology that’s known by a limited number of people,” said Cyrus Tibbs, CISO, PennyMac. “Detection engineering was beyond the skill set of junior analysts and required escalating an incident to an engineering team specializing in that SIEM. With a Snowflake security data lake, SOC teams query the data in SQL, which “is very accessible.”
Interested in adopting a security data lake and modern SIEM like Kudelski? With Hunters you can bring your own data lake or leverage Hunters' embedded one. Contact us to learn more.