How KnowBe4 transformed internal processes with Tines

Challenge 

KnowBe4’s purpose is to reduce the problem of social engineering. Its security team goes beyond simply trying to catch and respond to incidents as they occur and actively aims to prevent them from even happening in the first place.

Thus, the team wanted a SOAR solution that supports powerful data integration, automation, and analysis to help them mitigate risk and enable them to reduce the time spent on recurring tasks.

Why Tines? 

KnowBe4 offers a range of products, including KMSAT (Kevin Mitnick Security Awareness Training) and PhishER, which they’ve found to work extremely effectively with Tines.

Dylan White, KnowBe4’s Information Security Engineer, says: “One of the biggest challenges for us was the time it takes to build out automated security pipelines. Tines made it a lot easier to get data in and out to an actionable response.

“Tines is very visible; you can see exactly what’s going on, it’s straightforward to explain to other team members how we’re doing things; it’s all a map. It’s very easy to see what is happening.” 

While KnowBe4’s security team is technical, ease of use is still a priority when they’re evaluating new tools.

Recalling what drew him to Tines, Dylan says: “There were a lot of different things. Ease of use was one. The documentation was very helpful. The CSMs I worked with, Peter and Hazel, were very helpful with onboarding. I love the fact that once you learn how to do one thing as far as a connection or automation with an API, you can attribute that to every other tool that might have a similar workflow. You can reuse things.

“Tines is very intuitive in pretty much every aspect; the platform is just really easy to use, so it does a really good job at saving time. The time saved pays for itself, in my opinion.”

One of the use cases KnowBe4’s security team has successfully implemented is Employee Offboarding.

Dylan explains: “We have an offboarding process whereby if an employee were to leave, we make sure all of their access has been removed, as well as a lot of record-keeping. Using Tines, we’re able to forward a ticket into the platform with the Webhook Action, and automatically walk through all of our applications to just double-check their access has been removed. We can also do some digging on our logs to make sure there’s no funny business going on. Then Tines spits information back to the ticket to say, ‘Hey, here’s all the extra information that we were able to pull.’

“Then, let’s say you have to submit another ticket to the HR board, Tines makes it easy for any analyst or person looking at this information to decide what action to take. And, again, that’s all piped through Tines. Tines makes it really simple to do these things. Previously, that type of workflow was a very manual process. I was able to build a Tines Story that reduced the time spent by 50 to 75%, which was a good and easy win.”

Dylan has also automated some of KnowBe4’s user access reviews.

He says: “It’s just about making sure a person needs access to a system. If they haven’t opened an app in 120 days, do they still need access? So, I built out a Tines form to put in a list of users pulled from various applications and it spits out which users should have access to that environment.”

KnowBe4 has automated elements of its internal training program to ensure employees are always up to speed with KMSAT.

Dylan explains: “KMSAT has a lot of integrated features within the platform. We offer two different API endpoints. The Reporting API for KMSAT allows you to pull information out, and we have the User Event API to put information in.

“In terms of reporting, we might want to pull information out. For example, to send Slack messages to people that may be overdue on training, or maybe have just failed a phishing test, or passed a phishing test, and it gives really good user interactivity between the platform and the events that were triggered. We could have done it another way, but Tines made it easy to build out, and it’s really effective. Users get instant feedback which aids in the learning process and breeds confidence in their actions.

“With the User Events API, we have a form that our infosec team uses to record events that occur outside the KMSAT platform. For example, say a user reported a real phishing attack, or maybe a user reported something that was public-facing that maybe shouldn’t be, now we can put that info into KMSAT. It builds a real risk portfolio of our users based on real-world data. The goal here is a bit to get more information in so that we can take action on user behavior in real-time. Tines provides a really interesting way to pipe things through to increase this interactivity.”

Check out KnowBe4’s customer support article, How to Add KMSAT Training Notifications to Slack, for a specific example of the interactivity between Tines, PhishER, and Slack.

Dylan adds: “Tines definitely allows us to get things done faster. It’s pretty enjoyable to use because you’re not staring at code the entire day, but rather a process map. It’s clear when you do things wrong because there are big error messages and helpful tips.”

A vast majority of the data breaches that occur today are the result of phishing and other social engineering tactics, which lead to leaked credentials, data exfiltration, ransomware, or worse.

“Our focus is making sure that we catch things when they do happen and then going further. We want to help prevent them from ever happening through awareness."

"The interactivity between our platform and Tines and the ability to add extra functionality means we can let people know what’s going on immediately. So, not only are we looking at phishing emails and identifying them, we’re able to tell the rest of the company to watch out for these ones here because they’re really tricky, and we’re letting you know it’s phishing. I think that’s what security is about, getting to the point where those things never happen."

Dylan White

Information Security Engineer, KnowBe4