About Lyrical Security
Lyrical Security is a full-service managed security service provider, with customers across North America ranging from Fortune 500 enterprises to SMBs. Their team provides highly customized services to help clients accelerate security maturity and achieve their compliance goals.
Executive summary
This high-performing MSSP sought to leverage workflow orchestration and automation to provide exceptional client service and decrease response and analysis times without expanding their team or cutting into their profit margins, thanks to enhanced productivity. Tines exceeded their expectations, offering a swift onboarding process and significant time savings for SOC ticket management. Using the platform has also opened up new use cases beyond security.
The challenge
For MSSPs, a key challenge is managing headcount. Each new client adds to the workload and drives up service costs.
To address this, Lyrical Security sought a more efficient way to scale operations. There’s only so much work that its in-house team could handle, explains Aaron Cleary, VP of Cybersecurity Products and Services. They looked for a way to expand their team's capacity without significantly increasing costs, while still maintaining high service standards.
Before adopting Tines, the team relied on some automated processes to help manage their workload, but building and maintaining these solutions was resource-intensive. Despite these efforts, a significant amount of time and energy was still required to handle tickets across multiple technologies.
Analysts used to have to manually log into systems, run queries, and pull data to enrich their own tickets. This not only affected productivity but also exposed the organization to human error.
Aaron Cleary, VP of Cybersecurity Products and Services
Why Tines
Lyrical Security looked for a SOAR provider capable of driving more automation and enhancing existing processes to make its security experts more effective. They selected Torq, but several months later, having failed to realize the anticipated gains, they turned to Tines.
“It's easier for us to deal with the pricing, and everything was more transparent with Tines,” says Aaron. “As a smaller MSSP, it was easier for us to work out pursuing a relationship with Tines than it was to continue our relationship with Torq.”
The Impact
The process of migrating from Torq to Tines was fast and easy, thanks to Tines’ onboarding support, Aaron explains.
Tines has added value for Lyrical Security in three key ways:
Increased margins
“The most expensive part of the business is obviously people. So there is a fixed amount of ingest that a single security engineer can manage for the organization. But if you aren't able to handle a high amount of data, you have to hire more engineers,” says Aaron.
The biggest thing that Tines allowed us to do is increase the amount of data that our security engineers can deal with day to day, which helps us keep our costs down, while maintaining solid deliverables to our clients.
Aaron Cleary, VP of Cybersecurity Products and Services
Time savings for analysts
Tines has also taken the burden off Lyrical Security’s analysts by automatically running queries, enriching data and adding information to incoming tickets. That saves the SOC team five to 10 minutes per ticket, saving hundreds of hours per month, while minimizing human error.
“It’s another huge business challenge that we've been able to overcome so far with Tines,” says Aaron. “And we're going to build upon that.”
Further, Tines' case management product Cases has streamlined how analysts handle incidents day to day.
Seamless integrations
Tines has helped Lyrical Security streamline operations further thanks to straightforward integration with third-party solutions like Jira, Slack, and AWS tools.
"It's hard for any organization to keep integrations working perfectly all the time, because lots of third parties will redeploy and change their APIs, which could break things," Aaron says. "But that’s easy to take care of inside of Tines."
If we have any problems with integrating, or there isn't an integration available, then we can just use that product’s API to do it manually. It’s all been pretty seamless.
Aaron Cleary, VP of Cybersecurity Products and Services
Top use cases
Incident response
Detection engineering
Ticket management and triage
Top workflows
Lyrical Security rapidly advanced from the basic workflows they initially built in Torq to more sophisticated, complex workflows. These include:
SIEM/ticketing integration
This workflow “is designed to chop up and send data where it's supposed to go, and make modifications to the data based on what it's seeing,” Aaron says.
Automated image pipelines
“If we onboard a new client, and we need to build out virtual systems for them, we don't have to do that manually anymore,” Aaron explains. “We have Tines glue together all of the different pieces that build out and deploy those systems for us, and create those initial images.”
Slack bot for day-to-day tasks
When onboarding new clients, Lyrical’s project management (PM) team has to reach out to its security engineers with requests such as deploying new SIEM customers or creating images. A new Slackbot is now able to kick off that work for them automatically via a Tines workflow.
“Instead of someone having to manually go and do that, or a PM having to get in touch with a security engineer who has their head down doing something, they can ask the Slackbot to do it for them,” Aaron explains.
We wouldn't be able to do it as quickly and effectively without Tines.
Aaron Cleary, VP of Cybersecurity Products and Services
Favorite feature
Multiple entry points for a single workflow
Aaron particularly likes the webhook action type, for their ease of use and the ability to include multiple webhooks within the same workflow.
“I can't express how useful that feature is, because then we can have different types of data go to the same workflow, but sent to different webhooks, which allows us to keep the data separated out,” he says. We don't have to build a bunch of if statements and loop things in weird ways. We can just have things segregated by default within the workflow. It's extremely useful to us.”
Customer support
Aaron and his team have also been impressed by the support they received from Tines, especially in the onboarding stage, which Aaron says enabled the firm to get going faster than any previous SOAR solution.
The Tines team made it easy to migrate the workflows we had in Torq. Any questions we had along the way, they were quick to answer and help us figure out the differences between the two systems.
Aaron Cleary, VP of Cybersecurity Products and Services
“The communications via Slack help us a lot. We're able to quickly pop questions into the Slack channel and get feedback near real time, which is really useful for us when we're doing development work inside of Tines.”
Lyrical Security also appreciated the “robust documentation” featured in the Tines’ University to help with support.
“We know we're not the largest company right now, but it's nice to see an organization that's willing to put in the time and effort to help us get there,” says Aaron.
What’s next
As for the future, Lyrical Security is going to continue building workflows to manage the detection engineering pipeline, and use Tines to improve analyst productivity.
“Tines’ case management system [Cases] integrates so closely with Tines workflows, which is going to streamline the entire investigatory process, and save time and analyst headaches day-to-day,” says Aaron.
The MSSP is also set to build workflows for teams outside of security.
The more we use Tines, the more we realize what we can use it for. What surprised us is that we found use cases that we didn't think of before.
Aaron Cleary, VP of Cybersecurity Products and Services