About
Elastic is the leading platform for search-powered solutions, helping organizations, their employees, and customers find what they need faster – all while keeping applications running smoothly and protecting against cyber threats. Elastic builds self-managed and SaaS offerings for use cases such as search, logging, security, observability, and analytics.
Executive summary
Before using Tines, the InfoSec team at Elastic carried out little to no automation. Any automation they did implement was done manually through Python. Daniel Gallagher, Security Automation Engineer, and Aaron Jewitt, Principal Security Analyst, brought Tines into the Elastic tech stack to elevate the way the team manages security automation. The first workflow deployed saved 93 days of analyst time with alert investigation automation. Since then, the team has deployed a total of 49 workflows in Tines and saved over 750 days in the last 12 months.
Commenting on the time saving, Daniel Gallagher, Security Automation Engineer, "We are confident that Tines is doing the work of at least 3 FTEs and most importantly is allowing us to be more thorough in the work that we do."
The challenge
The InfoSec team at Elastic deals with a high influx of alerts, noise, and false positives.
Each day, the InfoSec team receives security logs from dozens of different clusters – up to 100 TB of log data. The team manages over 1,000 custom and out-of-the-box alerts that send to Slack for analysis. The formatting and context setting required a unique script for every alert. With hundreds of alerts daily, this wasn’t scalable.
Daniel and Aaron built a business case for a central automation solution with the following initial objectives:
Produce alerts
Enrich and format them with relevant data
Distribute the relevant alerts and information to the analysts
The entire Elastic InfoSec team listed all automation vendors they knew of, including Tines, and worked out their pros and cons. The most important thing they were looking for was accessibility and ease of use.
We needed a platform that anyone could jump into and build automations.”
Aaron Jewitt
Why Tines?
Aaron saw Tines ease of use at Black Hat and it didn’t take long for the rest of the team to agree.
“Once the team saw vendor demos, Tines stood out as the clear choice. Everyone bought into the ease of use and interoperability of the platform.” explained Aaron.
Since bringing on Tines, the team has built:
A few key use cases they’re especially proud of are:
Rolling out multi-factor authentication (MFA) updates
Detecting activity from unmanaged IP addresses
And, their favorite, alert investigation and triages
Rollout of MFA updates
"We initially thought we'd send an email and leave it to the managers. With Tines, we took 20 minutes and built a story that not only tracked who engaged with our Slack alerts, but sent notifications about the status of each employee." - Daniel Gallagher
Detecting activity from unmanaged IPs
"It's a workflow that started as a way to find attackers, but now, it's giving us valuable insight into what exists across our network. One of those things you don't know you need until you start looking." – Aaron Jewitt
Top workflow
As for their top used workflow today?
Alert investigation and triage
In their objectives, their #1 goal with an automation solution was to create, enrich, and distribute Elastic SIEM alerts to their analysts via Slack. As a distributed team, Elastic spends a lot of time in Slack. Building this process natively in Slack and allowing analysts to work from one interface was extremely valuable for the team.
It starts by immediately prioritizing the alert, weeding out anything low priority. Then, it distributes priority alerts to the relevant slack channel or individual, where they choose from two actions: create a new case to track response efforts or merge with an existing case.
They can then opt into creating a channel using a slash command and the workflow automatically adds the relevant people and pins the status to the channel for easy reference.
One week after kicking off the workflow, the team found that they had processed the same amount of work that would have taken them 93 days previously. A significant time saving in a very short amount of time. Daniel explained that it has dramatically improved their process by allowing him to format the how alerts displays to the analysts in the Slack channel.
I'm a big believer in giving analysts the most relevant information and removing any distractions at a given time. As a result, there’s less alert fatigue because they aren’t sorting through irrelevant work. This wouldn’t be possible without Tines to enable that decision-making."
Daniel Gallagher
Tines support
As this team builds awareness internally to other functions, Aaron and Daniel point new users to the Tines Bootcamp and hub and that helps them and new team members successfully get started.
While Daniel was originally a security analyst, he’s now solely focused on building business solutions in Tines. He’s supporting the security team while building broader internal awareness for the platform.
"Tines is so critical to our security operations that my role changed because of it. I went from security analyst to automation engineer because Tines is so important. I live there day-in and day-out and look after our operations and keep everything running smoothly.” – Daniel Gallagher
His relationship with the customer success team goes deeper than just support – Daniel has contributed to the Tines Technical Advisory Board (TAB) and the evolution of the Tines University and certification. There is a strong partnership between the Tines and Elastic teams, which Daniel describes as “very rare and unique.”
What's next?
Daniel has a backlog of 80 or 90 tickets with ideas for the team’s future use of Tines, so it’s just a matter of working with the team to choose the most impactful ones.
“Instead of just dropping or ignoring a large batch of low severity alerts, we can now inspect each and make decisions on them if needed. If you say the inspection and decision-making takes 30 seconds each for an analyst, it starts to add up fast when we have thousands come in each day.”
Daniel Gallagher, Security Automation Engineer
Elastic currently powers their case management with Tines and their case management solution. They built a Slack app using Tines to start a new case, and the app pulls the information needed, such as the name and who needs to be involved. Then the workflow interacts with GitHub to update the files, track the status, and sync data with their case management system and SIEM. In the near future, they plan to migrate from their current case management system to their own stack. With Tines’s capabilities, this will be a smooth transition and will allow for expanded capabilities for the team.
"Anything can be done in Tines. There has never been a time that I couldn't achieve something with the product. It’s so versatile. If you can think it, you can do it.”
Daniel Gallagher