About Layer 3 Communications
Layer 3 Communications is a managed services provider (MSSP) specializing in cybersecurity-complex infrastructure solutions across cloud and managed environments. Clients across education, healthcare, manufacturing, and Fortune 500 companies trust Layer 3 Communications to fulfill their information technology needs.
Executive summary
With managed security services at Layer 3 Communications scaling fast, Director of Security Services Alan Jones needed help to maintain the high-quality work his team delivered to their client base. “We were looking for as lean a product as possible,” Alan says, “because our use cases were specific to us, and we didn't want to fit into what a tool expected us to do. We wanted the tool to adapt to us instead of being forced to adapt to how the product works. As well as satisfying these criteria, Tines created new opportunities for Layer 3 Communications to bring additional value to their clients.
The challenge
As the company scaled, Alan faced a major challenge - more clients led to more security investigations, and his team was struggling to keep up. “That means that one of two things has to happen,” Alan says. “We either have to hire more staff, or the work product suffers.”
Alan looked to automation as a way to address the growing client base and maintain the high-quality levels for which Layer 3 Communications is known. He needed a solution that could connect to varied client tech stacks and accelerate analyst productivity.
He began his search with Splunk SOAR (formerly Phantom) and Swimlane. Ultimately, they lacked the level of flexibility they were looking to gain. “We started expanding our search to look for SOAR products that were platform agnostic,” he explains. “And through our research, Tines very quickly floated to the top of the list.”
Why Tines?
The level of engagement with Tines engineers during the POC process is what sealed the deal for Alan.
“Rather than just spinning up a tenant and kicking it over the wall to us, Tines engineers worked with us on our POC use cases, helping us understand how the platform works and giving examples of how to take the building blocks and glue them together,” he says. “The team at Tines did an outstanding job on that. I don't want to say that the competitors didn't, but Tines were just head and shoulders above them in terms of quality of output.”
On top of that, the platform was purpose-built to enable flexibility. With Tines, the team could address an even wider range of clients due to:
Vendor-agnostic backend, allowing them to meet the tech requirements of any client stack
Pages that create windows and interactions with Tines without interrupting analysts
Records reporting to monitor and share trends internally and externally
Pages
Interact with and share insights from the workflow through simple, elegant webpages.
Records
Create custom reports by capturing builder-defined parameters across workflows.
cURL to Tines
Generate pre-configured actions by copying a cURL command from a services API docs.
The impact
Improving consistency, reliability, and timeliness
Just a few months into their partnership with Tines, the security team at Layer 3 Communications has already seen a significant increase in the quality of their work.
“Our output is dramatically more consistent and reliable,” Alan explains. “Before, there were different levels of consistency and reliability from analyst to analyst. Even with small things like ticket formatting, there was a lot of variation.”
Connecting to their clientele’s varied tech stack
Tines also gives Alan’s team the ability to interact directly with more tooling than they had before.
“Previous to working with Tines, almost all of our security telemetry was inbound, so people had to send stuff to us in order for us to get information,” Alan explains. “With Tines, via its ability to make web calls on a scheduled basis, we can now reach out to a variety of different parties and pull things in instead of having to wait for them to push to us.”
Creating efficiencies with records
Using Tines records to determine whether Alan’s team is seeing repeats of the same incident has boosted efficiency. “Instead of creating a new Salesforce case for an existing alert, we take a new alert that's part of an existing Salesforce case and append it to that. Records work really well for that.”
Freeing up analyst time for threat detection and response
Another huge benefit of Tines for Layer 3 Communications is the ability to interact with clients in a consistent way.
With Tines, Alan can ensure that his analysts aren’t wasting time on learning and configuring their clientele’s ever-growing list of security tools. This way, his team can spend more time on the work that matters most.
I want my SOC analysts hunting bad guys. I don't want them to be tool experts.
Top workflows
Managing interactions with EDR tools
One of Alan’s stories uses Tines pages as an input mechanism for his SOC analysts to interact with multiple EDR tools consistently.
“The interaction that we have with that EDR tooling outside of our investigations is to quarantine inputs and to close cases that are internal to that tool,” Alan says. Before, analysts would have to close the case in Salesforce and then again in the EDR tool. Now, they just click a link.
“That link goes to a Tines page that already has the data filled out and then immediately submits, which goes to another story that interacts with that EDR tooling via API. So the net result of that is that, regardless of what EDR is downstream, is that the SOC analyst interacts with that page in the same way consistently. So the SOC analyst doesn't have to be trained up on that tool to be able to use it.”
If you ask me what my favorite feature is right now, it's probably pages. It allows us to have a heightened level of interactivity with the stories that we wouldn't otherwise have, which I think is really important.
Connecting investigation and detection
As for Alan’s favorite story? “Right now, it's our SIEM automation story. It's the glue that connects our investigation workflows to our detection stack. We have our own SIEM tooling that we developed in-house and the alerting information has always come in via email. That's resulted in everything being manual and that sucks, and so the ability to take that and fully automate the initial parts of an investigation is really a big deal.”
What’s next?
Layer 3 Communications are constantly looking for ways to deliver added value to their clients. And, according to Alan, Tines has become an essential part of that process.
One of the first questions that gets asked when we onboard a new client is, ‘How can we use Tines here?’ And so as we grow as an organization, Tines will be further and further embedded in what we do.
Alan and his team already plan to extend their client communication workflows. “Right now, our primary method of communication is email and telephone if there's a critical emergency,” he explains.
“Tines gives us the ability to automate additional communication workflows. We have a client that we're onboarding right now who lives and breathes in Slack. They've asked us to provide them with security alerting via Slack messages.
Tines allows us to deliver added value to clients that just wasn't possible before.
Learn more about how Tines helps MSSPs deliver better outcomes through smarter automation.