Case study

Oak Ridge National Laboratory taps into the unimaginable with Tines

Highlights

  • Federally funded research & development center for the US DOE
  • World’s premier research institution
  • 6k+ employees

“We’ve been trying to build an automated report for three years, and now because of Tines, we actually can.”

Introduction 

Oak Ridge National Laboratory (ORNL) was established in 1943 and continues to play a vital role in scientific discovery and technological advancements that better society on a global scale. ORNL research focuses on addressing global challenges in the environment, energy, and national security. With over 6,000 employees worldwide and highly sensitive initiatives within their remit, security is foundational for their organization.

Staff: 6,000+, including scientists and engineers in more than 100 disciplines;  3,200 users and visiting scientists, annually;  Budget: $2.4 billion;  Location: In Oak Ridge, Tennessee;  Established: 1943, as part of the Manhattan Project;  872 US patents issued form 2010 to 2021;  173 active licenses;  232 R&D 100 Awards (Research & Development) more than any other national laboratory

A snapshot of ORNL (source)

As a federally funded organization and pioneer in technological advancement, the ORNL team sought a solution that would facilitate their implementation of the Zero Trust framework and alleviate some of their resources. After much review of various vendors, ORNL brought on Tines to reinforce their security infrastructure in the fall of 2022. 

Tines’s no-code automation approach enabled them to break ground on projects that were years in the making as well as execute workflows they couldn’t imagine doing manually.

Challenges and key solution requirements 

The challenges for ORNL were two-fold: adhering to the Zero Trust framework in a short timeframe and managing their rotating security automation team.

Implementing the Zero Trust framework means that ORNL uses a large number of controls and processes that require continuous monitoring and reporting. The team has a vast technology stack to achieve this. The first step was finding a way to get all these systems that don’t normally talk to each other to talk to one another. The few but mighty security engineers tackled this initially through manual scripts. This was not only time-consuming but also meant only a subset of the team could actually manage their automations. 

ORNL’s security team is made up of veterans, active duty, reserve, and civilian security experts. This team structure is ideal for solving complex problems, but comes with challenges of its own, such as military training and deployments in support of national security cyber missions. This left the automation inaccessible for those who remained and couldn’t write, manage, or maintain scripts. They were stuck.

As Larry Nichols, Cyber Enhancements Group Lead, put it:

It was very one-off and manual. Tines has been a major game changer for us. Writing individual scripts to try to automate many different applications is a tough thing to do, plus managing them as people move in and out. You need to figure out who wrote the script and how we can manage and maintain it over a long period of time. It was very manual."

Ultimately, ORNL needed a product that would work for both analysts and engineers. It was vital that the product be simple to manage and maintain, as well as scalable and flexible. The team ultimately reviewed other products that had out-of-the-box use cases and no way to scale or adjust to an environment as complex as ORNL. 

The team’s main objective was to find a solution that would automate their day-to-day routine tasks and remove any risk of vulnerability while the engineers who wrote the scripts were deployed.

Their solution requirements also included: 

  1. Flexibility to integrate with their various internal and external systems

  2. Ease of use for teams with and without scripting skills

  3. Decrease the mean time to resolution for their use cases

  4. Increased metric evaluation and reporting capabilities

The team began looking for a platform with SOAR capabilities that worked well with their SIEM, Elastic, and their broader security stack. They sought a vendor that would allow them to be agile and offer reliable customer support that could keep up with the demands of their team, government regulations, and their tech stack.

Solution and impact 

Pete Wood, Lead Engineer, undertook the task of finding a suitable vendor. He asked the team for a use case applicable to the wider team so he could test it with various vendors. Pete chose a phishing analysis workflow because it touched most of ORNL’s systems, including email and JIRA. He used that same use case for all the tools he evaluated, and Tines was the only vendor that could successfully achieve the use case in the given timeframe, which was eight weeks. "I went to the team and asked for some use cases they felt would greatly benefit from automation. I used that same use case for all the SOAR tools I was evaluating, and at the end of all the evaluations, Tines was the only one that was even able to achieve it with success in the time frame. The metric for that workflow was never actually achieved using any other vendor in the time frame that we had."

Larry described how Tines enables anyone within the ORNL security organization to automate their day-to-day tasks themselves, removing the need for engineering support. This ultimately decreases the mean time to resolution for their use cases – one of the team's original solution requirements. “Typically, a lot of cyber orgs such as ours will have the engineering team build and maintain the automation tools, and sometimes even build the playbooks too.” Larry explained:

With Tines, the other teams now have the power to build the playbooks themselves. They don’t have to wait on the engineering team anymore. The power is now in their hands."

Larry Nichols,

Cyber Enhancements Group Lead,

ORNL

Using rest APIs as part of the Tines solution helped the team discover something – most of the systems they had been using all along have APIs. This means they can now automate processes for all of these systems, which is something they didn’t realize would be possible.

Mike Crider, Cyber Vulnerability Analyst, explained, “It was a game changer during onboarding when we could connect all our systems. We have a lot of tools in our environment. Anything that has a backend API, we’re now using Tines to tie into that tool. Our ability to integrate new tools has taken out so much of our everyday tasks from before.” Pete added, “We can automate anything, the only thing we’re limited by is our own mindset and time to do it.” 

The team uses Tines to update data sets within the tools in their tech stack. Because Tines is no-code, the knowledge base can be transferred from person to person as they use it. As a result, anyone on the team can manage automation. ORNL is proud of the operational efficiency they have achieved with Tines. This is due in part to team members no longer needing "tribal knowledge" to maintain scripts, as was the case before.

Tines’s ease of use has decreased the mean time to resolution for the team’s use cases. Some of the Tines features that make this possible include: 

cURL to Tines

Pete explained how the feature benefits the team,“It allows you to do whatever you want – without integration issues. That makes Tines jump far ahead of other vendors who need to wait on developers to build, update, or push a change... that delay of waiting on a developer is something you just don’t have with Tines.” 

Pages

With pages, the team has the ability to rapidly gain access to web interfaces to get fast results. It makes training a lot easier, allowing them to get into the tool quickly without needing to go through jump servers or provide additional access to get to it. 

Intuitive interface

Across the platform, it’s been easy for any member of the team to understand and use Tines quickly.

Integration with anything

Mike said of the accessibility of Tines: “The learning curve is significantly less for new employees, and integrating new tools that come into our tech stack is easy.” 

Matt Lindsey, Defensive Cyber Operations Group Lead, tested Tines for the first time using three to four playbooks that the team uses on a recurring basis. The playbooks were nuanced and had lots of steps involved for things like evaluating the trustworthiness of an IP, but within days they had a process that was saving the team dozens of analyst hours per week. Previously, it would take them 20–30 minutes to get data from internal and external tools and put together a portfolio, but with Tines, this was done in seconds. The team has to do these portfolios many times a day, and the time saved frees up the engineering team to focus on other tasks that have high impact. ORNL now has the power to build its own playbooks and processes. 

The team currently uses Tines for a number of use cases, including: