As a top consulting and technology firm, Crowe LLP works hard to protect its customers from risks of all types. Crowe's Digital Security practice does just that, providing clients with the technology and expertise to detect and respond to threats quickly while minimizing false positives.
Until last year, Crowe accomplished this with a SIEM-as-a-service offering. The security information and event management approach was effective, but the group's leaders could see that results were taking too long and threats could occasionally be missed. Most importantly, clients were asking for more. Glen Combs, a partner at Crowe who leads the company's Managed Detection and Response (MDR) team, calls the previous system "organized chaos." He recalled the case of one client whose systems generated nearly 750 million events in the course of one month. The old system filtered those alerts down to 11,293, all of which needed to be filtered and prioritized by a live security analyst.
After researching the options, the team decided to rebuild its MDR platform from the ground up, based on the Security Orchestration, Automation and Response (SOAR) framework. The SOAR framework supports threat and vulnerability management, security incident response and security operations automation.
That sounded like the right approach for Crowe's next-generation MDR, which would be designed for 24/7 detection and live analyst response with quick validation of events.
"We realized that the sheer amount of data we had to analyze in real time would overwhelm us without integrating SOAR. The resources wouldn't be affordable even if they were available, and the availability of security analysts was also an issue," Combs said. "And without SOAR, we really couldn't provide the early detection that is so necessary today. We could only review things on an after-the-fact basis."
With the issue of the SOAR framework settled, Combs and his team began searching for the right set of technologies and products on which to build the new MDR system. The team chose to anchor the system with Siemplify's SOAR-based security operations platform, combined with Microsoft Azure and Elastic. Crowe launched the MDR service in beta in mid-2018.
It all starts at the client site, where Crowe installs a network security monitor (NSM) on the customer's network. It monitors network traffic and ingests relevant data sources including network logs, Active Directory logs, security logs and detection response logs for all laptop, desktop and server endpoints. The NSM performs some prefiltering and transformations on the data before sending it along to the actual MDR system. Client sites also install VMware's Carbon Black ThreatHunter, which has its own platform in the cloud. Crowe has built rules into ThreatHunter as well.
The MDR system itself, which Crowe analysts access through the company's Security Operations Center (SOC), is built on Microsoft Azure infrastructure. Applications, including Siemplify's SOAR framework and Carbon Black, run on that infrastructure. When events enter the system from a client's NSM, they enter a "pipeline," which does some normalization of the data to put it into a similar format. The platform then enriches the data with threat intelligence and applies some machine learning algorithms.
The resulting logs and alerts are sent to Elastic, a powerful database that allows Crowe to store large amounts of data and search it quickly. The MDR system includes an API between Siemplify and Carbon Black, so if an event considered worthy of investigation is identified by ThreatHunter, it will be included in the profile.
Siemplify then reads any stored in Elastic and combines them, if necessary, to create cases for Crowe's analysts. In addition alerts, Siemplify tracks the actions that analysts take to investigate. Analysts also use Siemplify for case management—playbooks that are essentially automated responses to certain types of alerts.
All data about a particular case is maintained within Siemplify. That information is transferred to ServiceNow so Crowe's clients can see exactly what's happening at all times through Crowe's portal.
Better, Faster, Easier
After implementing the new platform, Crowe analysts began seeing real results. Most importantly, Siemplify's threat-centric approach to case creation and correlation reduced the amount of actionable threats that Crowe analysts had to address. For example, while the previous MDR platform had been able to reduce the number of potential threats for a client down to 11,293 from nearly 750 million, the new platform was able to narrow the field down to 54 cases.
"I can't imagine how many analysts it would take to do a good job of reviewing 11,293 alerts," Combs said. "But this allowed our Level 2 analysts to spend their time investigating, diagnosing and eventually narrowing down 54 incidents to just four that deserved a response and resolution from the client."
The speed at which everything took place also improved dramatically with help from the SOAR framework. Actions that once took five to 10 minutes each now takes 30 seconds or less, and processing threats and issuing threat notifications went from hours down to just a few minutes.
It has also improved the overall efficiency of Crowe's SOC by, according to Combs' estimations, 80% to 90%.
"Alert fatigue is one of the biggest challenges in these types of situations, mainly the burnout of sitting in front of the glass all the time," Combs said. "By gaining this much efficiency, we can allow our team to do more things like threat hunting, rule development, developing the playbooks within Siemplify or helping our clients."
Over time, Combs hopes to improve the client experience even more, improving visibility and transparency. The combination of technologies now in place promises to help the company meet those goals.