Introduction
Oak Ridge National Laboratory (ORNL) was established in 1943 and continues to play a vital role in scientific discovery and technological advancements that better society on a global scale. ORNL research focuses on addressing global challenges in the environment, energy, and national security. With over 6,000 employees worldwide and highly sensitive initiatives within their remit, security is foundational for their organization.
A snapshot of ORNL (source)
As a federally funded organization and pioneer in technological advancement, the ORNL team sought a solution that would facilitate their implementation of the Zero Trust framework and alleviate some of their resources. After much review of various vendors, ORNL brought on Tines to reinforce their security infrastructure in the fall of 2022.
Tines’s no-code automation approach enabled them to break ground on projects that were years in the making as well as execute workflows they couldn’t imagine doing manually.
Challenges and key solution requirements
The challenges for ORNL were two-fold: adhering to the Zero Trust framework in a short timeframe and managing their rotating security automation team.
Implementing the Zero Trust framework means that ORNL uses a large number of controls and processes that require continuous monitoring and reporting. The team has a vast technology stack to achieve this. The first step was finding a way to get all these systems that don’t normally talk to each other to talk to one another. The few but mighty security engineers tackled this initially through manual scripts. This was not only time-consuming but also meant only a subset of the team could actually manage their automations.
ORNL’s security team is made up of veterans, active duty, reserve, and civilian security experts. This team structure is ideal for solving complex problems, but comes with challenges of its own, such as military training and deployments in support of national security cyber missions. This left the automation inaccessible for those who remained and couldn’t write, manage, or maintain scripts. They were stuck.
As Larry Nichols, Cyber Enhancements Group Lead, put it:
It was very one-off and manual. Tines has been a major game changer for us. Writing individual scripts to try to automate many different applications is a tough thing to do, plus managing them as people move in and out. You need to figure out who wrote the script and how we can manage and maintain it over a long period of time. It was very manual."
Ultimately, ORNL needed a product that would work for both analysts and engineers. It was vital that the product be simple to manage and maintain, as well as scalable and flexible. The team ultimately reviewed other products that had out-of-the-box use cases and no way to scale or adjust to an environment as complex as ORNL.
The team’s main objective was to find a solution that would automate their day-to-day routine tasks and remove any risk of vulnerability while the engineers who wrote the scripts were deployed.
Their solution requirements also included:
Flexibility to integrate with their various internal and external systems
Ease of use for teams with and without scripting skills
Decrease the mean time to resolution for their use cases
Increased metric evaluation and reporting capabilities
The team began looking for a platform with SOAR capabilities that worked well with their SIEM, Elastic, and their broader security stack. They sought a vendor that would allow them to be agile and offer reliable customer support that could keep up with the demands of their team, government regulations, and their tech stack.
Solution and impact
Pete Wood, Lead Engineer, undertook the task of finding a suitable vendor. He asked the team for a use case applicable to the wider team so he could test it with various vendors. Pete chose a phishing analysis workflow because it touched most of ORNL’s systems, including email and JIRA. He used that same use case for all the tools he evaluated, and Tines was the only vendor that could successfully achieve the use case in the given timeframe, which was eight weeks. "I went to the team and asked for some use cases they felt would greatly benefit from automation. I used that same use case for all the SOAR tools I was evaluating, and at the end of all the evaluations, Tines was the only one that was even able to achieve it with success in the time frame. The metric for that workflow was never actually achieved using any other vendor in the time frame that we had."
Larry described how Tines enables anyone within the ORNL security organization to automate their day-to-day tasks themselves, removing the need for engineering support. This ultimately decreases the mean time to resolution for their use cases – one of the team's original solution requirements. “Typically, a lot of cyber orgs such as ours will have the engineering team build and maintain the automation tools, and sometimes even build the playbooks too.” Larry explained:
With Tines, the other teams now have the power to build the playbooks themselves. They don’t have to wait on the engineering team anymore. The power is now in their hands."
Larry Nichols,
Cyber Enhancements Group Lead,
ORNL
Using rest APIs as part of the Tines solution helped the team discover something – most of the systems they had been using all along have APIs. This means they can now automate processes for all of these systems, which is something they didn’t realize would be possible.
Mike Crider, Cyber Vulnerability Analyst, explained, “It was a game changer during onboarding when we could connect all our systems. We have a lot of tools in our environment. Anything that has a backend API, we’re now using Tines to tie into that tool. Our ability to integrate new tools has taken out so much of our everyday tasks from before.” Pete further explained, “We can automate anything, the only thing we’re limited by is our own mindset and time to do it.”
The team uses Tines to update data sets within the tools in their tech stack. Because Tines is no-code, the knowledge base can be transferred from person to person as they use it. As a result, anyone on the team can manage automation. ORNL is proud of the operational efficiency they have achieved with Tines. This is due in part to team members no longer needing "tribal knowledge" to maintain scripts, as was the case before.
Tines’s ease of use has decreased the mean time to resolution for the team’s use cases. Some of the Tines features that make this possible include:
cURL to Tines
Pete explained how the feature benefits the team,“It allows you to do whatever you want – without integration issues. That makes Tines jump far ahead of other vendors who need to wait on developers to build, update, or push a change... that delay of waiting on a developer is something you just don’t have with Tines.”
Pages
With pages, the team has the ability to rapidly gain access to web interfaces to get fast results. It makes training a lot easier, allowing them to get into the tool quickly without needing to go through jump servers or provide additional access to get to it.
Intuitive interface
Across the platform, it’s been easy for any member of the team to understand and use Tines quickly.
Integration with anything
Mike said of the accessibility of Tines: “The learning curve is significantly less for new employees, and integrating new tools that come into our tech stack is easy.”
Matt Lindsey, Defensive Cyber Operations Group Lead, tested Tines for the first time using three to four playbooks that the team uses on a recurring basis. The playbooks were nuanced and had lots of steps involved for things like evaluating the trustworthiness of an IP, but within days they had a process that was saving the team dozens of analyst hours per week. Previously, it would take them 20–30 minutes to get data from internal and external tools and put together a portfolio, but with Tines, this was done in seconds. The team has to do these portfolios many times a day, and the time saved frees up the engineering team to focus on other tasks that have high impact. ORNL now has the power to build its own playbooks and processes.
The team currently uses Tines for a number of use cases, including:
Organization-wide reporting
Curating and combining information across databases
Vulnerability management
Cyber threat intelligence
Endpoint management
Firewall rule management
Forensics
Digital investigations
Incident response
Tines services
One of the main reasons the team chose Tines was its ease of use and intuitive design. As Pete puts it, “Anyone can pick up and learn Tines.” Regardless of their skill set, the team is empowered to create and maintain the automations they need to take the pain out of their manual and time-consuming tasks.
Logan McGhee, Senior Vulnerability Analyst, shared that he does not have a developer background, so he wasn’t historically in a position to build or control the playbooks. “I’ve been able to pick up Tines incredibly quickly with the support of the support team, story library, Slack community, and Tines docs.”
After just a few months, I feel very comfortable with it. Like Pete shared, Tines is something anyone can implement and become a master of automation."
Logan McGhee,
Senior Vulnerability Analyst,
ORNL
Pete discussed his positive experiences with the Tines support team, calling out a specific example of when he was working on a tenant upgrade: “We had a tenant upgrade that we were going through. It had to be quick, and I had questions. I was always a little skeptical of them not having a phone number, but it turns out I didn’t need it. Slack might even be more responsive than a phone number. I put my questions into the Slack community and had a response in minutes, even though I posted at 11pm. The support has always been fantastic.”
Beyond their initial goals
There are two areas ORNL wasn’t even thinking about when they brought in Tines: regular executive reporting and managing their Tenable repository. They delved into how Tines solved problems they didn’t realize a vendor could help them solve and the impact it has for them.
Better together: Tines + Elastic to deliver regular reports
The ORNL team uses Elasticsearch as their SIEM. During Pete’s tool evaluation, he found most other vendors were tailored specifically to Splunk, so their Elastic integrations referenced old versions and had significant compatibility issues.
“The big holdup for the other vendors, and another area where Tines really shined, was with Elastic. Most other services are tailored specifically to Splunk, not Elastic. As a result, most of their integrations were broken, and they didn’t even realize it. Built-in integrations create a huge dependency on their developers and introduce long waiting periods. That’s simply not an issue with Tines.”
This seamless integration between Tines and Elastic was a massive operational win. As the team went through implementation, it resurfaced a long-deferred initiative: improving reporting. Larry explained, "An area we always struggled with was reporting. Not only within the team but also up to leadership within and outside the organization."
How ORNL improved transparency
The team relied on stitching together data from different systems, each with a different owner responsible for manually checking and sharing their metrics into a joint spreadsheet. Larry explains, “We’ve been trying to build an automated report for three years, and now because of Tines, we actually can.” The ability to automate reporting saves Matt’s team at least two hours a week. For the first time, the team sends scheduled reports internally on a weekly basis and up to leaders on a monthly cadence.
Pete added, "We make all the API calls in Tines, where it’s cleaned up, then push this data from the API calls to Elastic. In Elastic, we create any visualization we want out of them.”
That's putting Elastic and Tines to work and extracting insights we always wanted but could never get to. We didn't really go into this thinking Tines would solve for that, but it has."
Pete Wood, Lead Engineer, ORNL
Managing their Tenable repository
ORNL uses Tenable for its vulnerability analysis, and this year, they experienced a big transition between IPv4 and IPv6 (these are the most common types of repositories used with Tenable). Before using Tines, multiple scripting techniques across a number of platforms were needed to execute their vulnerability analysis, which was highly manual and took a lot of time.
How ORNL optimized their vulnerability analysis
Using Tines, Mike now automates the process. He gathers entire network information from databases via their APIs and updates Tenable with over two million IP addresses in a matter of seconds. This helps Mike and the team evaluate and break down those IP addresses for vulnerability, evaluate the data, and then push it to Tenable. To comb through this volume of IP addresses manually, before Tines, was not even a possibility. Mike explained, "The sheer time savings are immeasurable because it wasn’t even possible before. And the confidence we have in what we’re doing is incredibly valuable."
Future outlook
One of the next projects Pete plans to use Tines for is the automation of the team’s complex log ingestion pipelines. The data comes from several different network enclaves and routes through several different systems before it finally ends up in their SIEM. Using Tines to automate these steps will save Pete both time and overhead.
Due to their success so far in creating reports for the rest of the business, the ORNL team has set themselves a project that they hope to complete by the end of the fiscal year. They are using Tines to build a dashboard where they will automate a larger portion of their reporting metrics. This was previously years in the works, but now it’s going to be possible. Larry explains, “This is a big deal for us. We’re on the path to achieving this because of Tines.”
See how other teams have found success and achieved their goals using Tines. Read our customer case studies.