OneLogin is a cloud-based identity and access platform for secure, scalable, and smart experiences that connect people to technology. As the leader in Unified Access Management, OneLogin makes it simpler and safer for organizations to access the apps and data they need anytime, everywhere. OneLogin has a security-first culture. They seek to help customers gain the upper hand and defend against compromised credentials and breaches.
What's the challenge?
OneLogin's security team needed an automation platform enabling them to grow and scale. As a relatively lean team, they recognize the power of automation to help solve prevalent problems, such as alert fatigue. The company needed a solution to increase visibility, improve detections and data enrichment, and build out automated responses to take action against high-risk threats before a human being even looks at a ticket.
Matthew Petroske, OneLogin's Senior Incident Response Engineer, saw the value of Tines early on and was impressed by the functionality and scalability of the automation platform.
“The analogy I like to use is functional programming; the way that Tines has built the platform means we can just reuse Stories in a very flexible and straightforward fashion, and that makes my life easier, which is what I love. I'm a huge ‘Send to Story’ fan.”
OneLogin was also eager to improve the quality of its security alerts and reduce the number of them in their environment to combat alert fatigue.
“Being a small team, we wanted to make sure we were getting high-quality alerting and have the data an analyst needs,” explains Petroske. “So, when we get alerts, they aren't 90% false positives, and we aren't getting thousands of alerts per day. Being able to leverage a platform to do a first-pass triage analysis of a detection, we can filter out some of those alerts and reduce the number the team has eyes on. Then for the alerts that we manually review, it's about what data an analyst needs. For example, if the detection only has an IP address, we want additional information around its geolocation. Is the IP address on any particular threat list? Are there any actors that are known to use this particular IP address? Once an alert gets reviewed by a human, we want to make sure those initial questions are already answered in the ticket for our analysts to see. With Tines, there's no manually having to look that information up because it's all in a centralized location.”
He adds, “The thing I've seen with alert fatigue in the past is that people just stop caring about detections, or they make an assumption that it's a false positive. People stop doing due diligence to investigate something to its full extent. Then there are the other aspects such as there is less available time to focus on the fun projects or trying to learn to stay on the cutting edge.”
Tines has also enabled Matthew’s junior analysts to automate valuable tasks for the first time.
He explains, “Tines requires a slightly different mindset because the tool is unique and there is nothing else quite like it. I think folks who have worked with APIs before definitely took to Tines fairly easily and were able to start jumping into the waters and using Tines reasonably rapidly. For somebody that's experienced with programming, they have the ability to be very customizable and free form and build something the way they want. For anyone else not used to programming or the platform, the prebuilt templates have made their lives a lot easier and allow them to actively build something that benefits the team in a very short period.”
“We don't have a perfect metric on how much time Tines is saving us right now, but we've been estimating that at the very minimum, it's an entire headcount. In terms of times saved by a human clicking on things or manually doing things, we're saving at least 40 hours a week. I would happily say it reduces our time to respond or time to acknowledge and helps us meet SLAs. It reduces our dwell time on tickets; if something is highly sensitive or super important, it's not just sitting there and not being looked at. We can use Tines to bubble up the most important things and ensure somebody is looking at them rapidly.”
There are three separate security teams currently using Tines at OneLogin, including the CSIRT (Computer Security Incident Response Team), the IT team, and the security engineering team. Tines has enabled these teams to be collaborative for the first time without compromising their security posture.
Matthew says, “Before Tines, collaboration across the OneLogin security teams consisted of weekly/monthly syncs and emails - a fairly manual process. The Teams feature in Tines helped us convene a richer collaboration. There is a good chunk of overlap when it comes to tools. We're all working on different stuff, and again we like to have a security-first culture, which means having proper security controls; role-based access, least privileged access. So hypothetically, if our IT team has access to asset management tools and wants to create an API token that accesses those particular tools, they can restrict that just to their team. As the CSIRT team, I may not need access to that tool, so I shouldn't have access, and Tines has an appropriate feature in place that restricts it. Least privilege access helps us.”
“Teams is a feature of Tines that promotes collaboration across groups but ensures we can lock particular secrets down and make sure we are still being secure in our interactions.”
He adds, “Send to Story makes things super neat and tidy. It means I can build a single Story that manages incident creation, and then I never have to build it again. I can build out 15 different Stories, and they all use that same Send to Story feature to manage incident creation, and to me, that's pretty powerful. It makes things highly scalable and easier for my team. I can build a ticket that says if you want to create a Story, just use this Send to Story template, and the rest of my team can then use it. It makes life easier for me and helps me help my team.”
OneLogin is now looking at other areas to implement Tines.
Matthew explains, “We've been looking at how we ingest information from our threat intel platform into our other additional tooling for alerting and enrichment. There are several new use cases we're looking to implement. The first would be alerting. If an IP address is considered bad by our threat intel, let's make sure that we get an alert for it if we see that particular address inside our network logs. The second use case would be enrichment. So, if I get an alert and have a certain list of IOCs (Indicators of Compromise), what sort of information can I get from our threat intel provider and make sure it's added to our ticket. Additionally, we're figuring out how we can expose some of this information to wider security team members in a controlled manner via a Tines form, so they can see this information without having direct access to the threat intel platform.”
“The reality is that anything we possibly can automate we're looking to do. I think the general philosophy is that we'll do something manually for a period of time to understand what that process looks like. Once we've done it manually for a couple of weeks or months, we're trying to figure out ways to automate it.”