About the Broad
The Broad Institute of MIT and Harvard is a multi-disciplinary, cross-functional biomedical research and development organization. Based in Cambridge, Massachusetts, the Broad is deeply collaborative and committed to allowing the 4,500 ‘Broadies’ within its community to share their data, research, and tools openly to enable scientific breakthroughs to happen anywhere. The Broad also runs Terra.Bio, the world’s leading biomedical research platform that connects researchers with the datasets and tools they need to explore various aspects of the human genome.
Challenge
The Broad does big things at scale. Protecting vast amounts of sensitive data while honoring the institute’s founding principles produces complex security challenges. Additionally, information about their system, network, and users is found across their infrastructure, so determining a system flow or the risk factor of any particular system that throws an alert takes a lot of time and effort.
Why Tines?
Broad’s Defensive Security Operations team was running into scaling issues; trying to protect an enormous ecosystem with just six brains was very challenging. They initially deployed Tines’ free Community Edition after their CISO came across our platform while searching for an agile solution.
The Broad’s Associate Director of Information Security, Will Hedglon, explains how his team vetted Tines and got results fast after automating some of their most time-consuming workflows.
“We realized we needed some type of SOAR platform to ingest security intel, make good decisions, and then take actions based on that intel and those decisions. The thing that drew us to Tines is that you just plug APIs into it, and off you go; we aren’t locked into a particular vendor, we don’t have to worry too much about integrating with various platforms. If it has an API, we can do cool stuff with it, so that was the big thrust of why we were interested in Tines. We played around with it for a few weeks and realized this could be really great.
“I’m a very visual learner, so to be able to see everything, the different actions, and modules, is very powerful for me. We could write code to do some of what Tines does, but the amount of time and energy to do error checking and have everything broken out in a way that’s understandable to new team members would be impossible. Tines perfectly fit that gap of making it easy for us to use it, making our workflows understandable, providing really granular error checking, and enabling us to see exactly where something goes wrong. The approach to secrets management also gave us a lot of confidence.
“Pre-Tines, we had a manual, resource-intensive workflow to get an initial alerting from Google Cloud Security Command Center (SCC). For example, if somebody just made a bucket public, my team then spent a lot of time enriching that information to figure out who flipped the bit to make the bucket public, and which team that person is on, and who is that person’s manager, and all of this important enriching data. Then we would create a Jira ticket and find the proper outreach communications to talk to the user to understand if they intentionally made the bucket public, and then wrangle remediation. Each step took some manual intervention and the turnaround time was weeks or sometimes even months. Post Tines, we automate that all away, and users get a nice little Slack message within seconds of flipping a bucket public to remediate it.
We went from two to three weeks to close out public bucket-specific events to seconds with almost no interaction from my team, so that’s been an important initial win for us. Our original GCP SCC pipeline focused on two SCC categories; and we’ve scaled to seventeen categories in the last few weeks. We expect to scale out to all categories (~125) in the early fall. We never could have moved this quickly with manual processes.
Will Hedglon
Associate Director of Information Security
Broad Institute of MIT and Harvard
“Another big benefit of Tines is data enrichment. On the US-CERT alert side, all of the various IT operational teams get alerts from various vendors and government agencies informing us of new threats out there. Each team tries to respond to that, but a lot of them don’t have time. We’ve used Tines to start centralizing that alerting onto one Jira board, ingest the alerts, parse them out, know which technologies or software are involved, and send the right team the right Slack message to give a bit of context about the alert. Over time we’re building towards automated responses so the various teams can click on a button to say this is complete, auto close out the Jira ticket, or click another button in Slack if they need deeper engagement from IT support.
Tines is critical to enriching the information, so the non-InfoSec IT teams have context and understanding of the alert, and we’re able to deliver the right alert to the right people on the right teams.
Will Hedglon
Associate Director of Information Security
Broad Institute of MIT and Harvard
“I come from the defensive world and tend to use the ‘monitor, alert, respond’ approach. The alerting piece is, in many ways, the most important piece of that framework. It’s an ongoing, iterative, forever thing based on risk factors. There are some activities, log events, or behaviors that will always be high risk, and we want to alert and take action on those very aggressively. There are medium risks that aren’t terrible, but they should be on our radar for awareness. When it comes to responding, we’re big Slack users, so we’ve got a few channels based on the severity of the alert, and then Tines has helped us take actions based on those alerts. Right now, we’re working on end-user outreach, so Tines helps us talk to users to understand what they’re doing.
“The Broad is intentionally a very open organization to permit cross-team collaboration, and we don’t want to lose that spirit. Still, there are also areas we can be over permissive, leading to potential risk factors. It’s the next thing on our to-do list."
Top of a lot of organization’s minds is ransomware, especially after the Colonial Pipeline and Kaseya breaches. The Broad plan to use Tines to assist with preventing a similar breach.
"In the next few weeks, we’ll start using Tines to look more closely at VPN activity and engage directly with end-users when we see potentially suspicious activity. Tines enables us to capture and enrich user activity so we can have fast, targeted engagement with users.
“There are a bunch of forever threats, like phishing is always a thing and ransomware is bubbling up, that we’re always thinking about and mitigating. The overarching goals are to wrangle external threats as reasonably as possible and then shift our gaze towards improving insider threat risk reduction.
“We’re still relatively new to Tines. It is an investment in time to get everything set up and get the right resources and shift your thinking but it is a really great investment in time.
Tines has given my team more time and I think it will be even more amounts of time as we get these pipelines built. The team loves it; they always get their Tines-related stories done in the first half of the sprint, which is a good indicator that it’s interesting and something they actually want to do.
Will Hedglon
Associate Director of Information Security
Broad Institute of MIT and Harvard