About Texas A&M University System Cyber Operations
The Texas A&M University System Cyber Operations team protects a vast and complex network of 11 universities and eight state agencies, including the Texas Division of Emergency Management and the Texas A&M Forest Service.
Executive summary
The team at Texas A&M System Cyber Operations struggled with manual case management and the inefficiencies of disparate security tools, impacting detection and response times for its 30 higher education and public sector customers. A combination of Tines and Elastic has helped to speed up incident response, enhance analyst productivity, and deliver the flexibility required to meet the precise needs of its customers.
The challenge
With tens of thousands of endpoints and billions of monthly telemetry events, the Texas A&M System Cyber Operations team faces a relentless barrage of cyber threats targeting students, research institutions, and other public sector customers across state, local and special district government. The extensive attack surface, spanning personal devices and critical research centers, required a more efficient and scalable approach to detection and response.
Why Elastic
Before Elastic, the team’s skills were hindered by the need to source data from multiple security products based on different query languages. Elastic enabled rapid response to threats while supporting innovation and efficient use of resources.
They saved over 100 analyst hours monthly, reducing incident resolution time by 99%, and streamlining security operations.
Engineering Manager Braxton Williams explains, "We selected Elastic Security for endpoint because it doesn’t just alert you to something bad, it empowers you to do something about it, fast."
Learn more about how Texas A&M System Cyber Operations uses Elastic.
Why Tines
Recognizing the potential to improve efficiency through workflow orchestration and automation, the team began exploring tools to improve case management. After discovering Tines through a tip on X (formerly Twitter), Braxton decided to test the free Community Edition of Tines.
“I was like, ‘Wow, this is awesome.’ It’s easy to use and we don't have to spend a bunch of time building it out,” he remembers. “I had an idea of what I wanted this workflow to look like, built it out in draw.io as a flowchart, and then recreated it in Tines.”
It helped that Tines fit hand in glove with the organization’s existing Elastic setup.
Tines and Elastic are born to be married together because everything's in JSON at the end of the day. It's a common standard. The two fit together perfectly because of that.
Braxton Williams, Engineering Manager, Texas A&M System Cyber Operations
The Impact
The combination of Elastic and Tines has enabled Cyber Operations to deliver faster response times and greater efficiency for its customers, while also scaling operations seamlessly without the need for additional team members.
Greater visibility for enhanced decision-making
Tines and Elastic provide the team with unprecedented visibility into their complex network of environments, from detection to resolution. “We have a lot more visibility into what we're doing,” says Braxton. “Specifically with the case management workflow in Tines, we're managing the entire case process with it. We're pulling live statistics from every stage.”
Process improvements and faster response times
This enhanced visibility provided has enabled the team to drive continuous improvements in their processes, Braxton explains. “All that extra granular data has enabled us to specifically target optimizations throughout the entire workflow.”
Using dashboards in Elastic, the team can analyze case data to identify detection rules consuming the most analyst time. “We can then prioritize those for detection engineering,” he adds.
We're able to figure out where we need to enhance tooling and provide extra context to get times like MTTD and MTTR down across the entire workflow. Adding Tines as that orchestration layer with Elastic has definitely helped us make positive improvements on those times overall.
Braxton Williams, Engineering Manager, Texas A&M System Cyber Operations
Turning time savings into more impactful work
Before Tines, the Texas A&M System Cyber Operations team used to manually copy data from source systems into case management platforms.
“With Tines automatically pulling that data from Elastic, we’re saving 20 to 30 minutes per case. Not having to do that manual documentation, validation, and double-checking means we’re getting through more alerts in the queue, and freeing up more time for analysis."
This has resulted in an estimated 200 hours in time savings per month, significantly boosting team efficiency.
In another use case, end-user phishing reports are extracted and enriched by AI in Tines, giving analysts a head start on incident investigations. This workflow has saved an average of 10 minutes per reported email.
Scaling without hiring
Tines and Elastic has allowed Texas A&M System Cyber Operations to grow without needing to expand its team. Braxton explains, “We've been able to focus more of our efforts into building out automation, enrichment, and our incident response capabilities to the point where, instead of having to add staff, we can just scale our growth more on the technical side and get analysts to the work they need to do, quicker.”
This allows the team to scale up a full end-to-end detection and response service across all 22 of their entities, while ensuring their offerings are fine-tuned to each customer.
“The software architecture that we've built on the technical side lets us take the same methodology and just start stacking it out,” he adds. “Our time to onboard right now is really fast. We could technically be doing detection in a customer environment and responding to things in less than 24 hours.”
Flexibility to support a complex service offering
Tines and Elastic have proven to be an ideal combination for Texas A&M System Cyber Operations, enabling the team to deliver custom detection and response services that “don’t fit into most vendor use case boxes.”
Braxton added, “Elastic is a behemoth of a platform with every component you could possibly want and it's up to you to build what you need from it.”
With Elastic, you’re able to choose your own adventure and build something that fits your team, your processes, and your business as opposed to being told, ‘Here's our way of doing it.’ Tines just stacks on top of that with the same philosophy - it’s about building exactly what you need, the way you need it.
Braxton Williams, Engineering Manager, Texas A&M System Cyber Operations
Top use cases
Case management
Incident response and resolution
Phishing report ingestion and data enrichment
Top workflows
Case management
Braxton’s team uses a complex Tines workflow comprising 240 actions to orchestrate and automate their case management process with Elastic.
“We split our casework into two stages,” Braxton says. “We have a triage stage that happens in Elastic and then we have either documentation as an end goal, or an escalated case, or phishing email responses to users.”
“Tines sits in between and handles all the synchronization and extracting statistics, extracting observable data from cases, syncing data back into Elastic about the actual workflow and what's been processed. It just sits there in between and manages all of that.”
Phishing report ingest and summarization
With this Tines workflow, users can report phishing emails directly through their mail application. Tines extracts the relevant data, enriches it with AI to summarize the information, and generates a risk score.
The enriched data and summary are then added to an Elastic document, which is immediately shared with the analyst. This ensures that when analysts begin their work, they’re already equipped with everything they need to get started, significantly speeding up response times.
“It's a whole lot faster than starting from nothing,” says Braxton. “We don't do any automated decision-making in there, but it gets us significantly down the road and has shortened the amount of time that we're having to spend working those leads.”
What’s next
Texas A&M System Cyber Operations is working on a new Tines workflow to enhance some of the incident response processes that already leverage Elastic. This workflow will automate Slack commands, enabling the incident response team to route notifications to OpsGenie for simultaneous alerts, automatically create a dedicated Slack channel for incidents, and more.
Tines will also generate templated documentation in Google Drive for major incidents. “We're going to set it up so that we can just go ahead and duplicate that folder, populate some basic info, and just have that ready to go,” says Braxton. “This isn’t functionality we need every day, but it’s very easy to implement with Tines and have it when we need it.”
The fact that both platforms connect easily to other technologies is a huge advantage, Braxton adds. “With Elastic and Tines, you can do whatever you want to do in the security space with regards to SIEM, endpoint, cloud, and any kind of orchestration and automation on top of that. You’re not at the mercy of a vendor saying ‘We don't support that.’”
We can use Elastic and Tines to build workflows that actually fit our needs and help us accomplish what we need to accomplish. And I can’t say the same for a lot of the other software vendor combinations.
Braxton Williams, Engineering Manager, Texas A&M System Cyber Operations