|Nonprofit Tech||Lack of threat detection by current SIEM||200+|
Merit’s previous SIEM produced too much manual work to get any security value out of it, while generating too many false-positive alerts for their IT team.
Blumira integrates with Merit’s critical cloud infrastructure to provide automated detections with contextual data, as well as playbooks to walk their team through response and remediation.
“Blumira provides expertise in understanding alerts. With a limited staff, it’s important that someone has my back – Blumira’s team has a real commitment to its customers.”
Merit Network is a non-profit, member-owned organization governed by Michigan’s public universities. Founded in 1966 by the University of Michigan, Michigan State, and Wayne State University, Merit owns and operates America’s longest-running regional research and education network.
Earlier in its storied history, Merit played a key role in the formation of the Internet, including being part of the ARPANET, managing the NSFNET, and later joining the education-focused Internet2. After 50 years of innovation, Merit continues to provide high-performance services to the educational and public sector communities in Michigan and beyond.
As CISO (Chief Security Information Officer) at Merit, Kevin Hayes is responsible for internal security as well as developing security products for their members. He was very familiar with SIEM solutions, after using IBM’s QRadar for many years in a previous role. He found them to be complex to configure and fine-tune, as well as resource-intensive to manage for SOC (security operation center) capabilities.
Merit was previously using a log correlation tool that never worked right, had many licensing issues, and made getting information out of it next to impossible – in other words, “a very expensive paperweight,” according to Hayes.
As a result, the security detection and response process at Merit required a lot of manual work from Hayes’ team – they would spend many hours a week to troubleshoot support tickets. They often received alerts that were improper or out of order, and they had to investigate each one. His team was also getting alert fatigue, getting false-positives for days and weeks on end.
“Prevention is great – but detection is a must,” said Hayes. With their previous solution, they weren’t able to get to effective threat detection within their environment. Merit could have had security incidents they weren’t even aware of due to the lack of detection.
Another Merit executive recommended Blumira as an alternative solution to their current SIEM.
“What I really appreciated about Blumira was how simple it was to deploy – we were up and running in under an hour,” said Hayes.
Merit easily integrated all of their critical and cloud infrastructure with Blumira’s platform for detection and response. That includes Palo Alto Next-Generation Firewalls, Linux/Unix servers, Microsoft Windows servers and Google G Suite.
Merit also uses Blumira’s honeypot to detect malicious activity and lateral movement. Deploying the Blumira honeypot took three minutes of work (just a few clicks!) – and they never had to worry about it again. Blumira’s honeypot provides additional fidelity about things that might be happening internally for Merit, according to Hayes.
“As a security person, you need visibility and to know when the bad things happen. We now have that visibility with Blumira,” said Hayes. “We can get alerted right away and use Blumira’s playbooks to bring security issues to resolution and guide our operators through remediation.”
Like many organizations, Merit doesn’t have a dedicated security staff assigned to sit in front of security operations center (SOC) screens and watch for incidents. Merit values Blumira’s reliability and support as a trusted security partner.
“Blumira provides expertise in understanding alerts, with additional context and viewpoints. With a limited staff, it’s important that someone has my back – Blumira’s team has a real commitment to its customers.”
Now Merit’s smaller staff are notified of security problems with automated threat detection on a 24 hour basis, and thanks to Blumira’s playbooks, they can be just as responsive as a large team. In addition to saving time, Blumira has increased the ease of communication between their support and security teams, fostering a security community at Merit and strengthening the overall security posture of their organization.
“Bring me the data,” said Hayes. “Blumira shows us indicators of a compromise and how they got the results; everything in a single pane of glass to help us understand the context of the alert.”
Merit uses Blumira’s Security Dashboard for their monthly security report as an overview of what’s happening across their environment. They were monitoring over 220 million events a week – Blumira made security more easy to manage by applying logic to show them only the things they actually need to worry about.
Merit also uses Blumira’s Manager Dashboard for a closer look at detections. One example is a PSExec finding on their network. PSExec is a command-line tool that allows privileged users to execute processes on remote systems – attackers can also use it to move laterally. Hayes was able to validate that the command was being used by a legitimate user with Blumira, and his team leveraged Blumira’s playbook to walk them through easy remediation and response.
“Within 15-20 minutes, we were able to ascertain it was a brand new employee that was doing legitimate work,” said Hayes. “Blumira’s platform helped confirm and validate that it was a real employee. That knowledge that it was a known-good was really important.”
“There’s a few checks and balances in Blumira’s platform to ensure that you have some control, in addition to providing automated threat response,” said Hayes.
Full automation isn’t always better, when it comes to information security – Blumira remains a valuable resource, playing a trusted advisor role with Merit and helping vet and gate automated responses, when needed.
“We do feel like we’re a true partner – as an organization, we care about you, you care about us; this is important and makes a difference in the security community. Blumira is an amazing example of that.”
Replace Your SIEM: Traditional vs. Modern SIEM
Legacy SIEMs can be complex, noisy and lack remediation. Replace your SIEM with a modern platform for automated threat detection and response, with lower overhead.