A freight logistics company undergoing digital transformation overhauled its SecOps tools, leading it to adopt an extensive detection and response tool for security monitoring and incident response.
This transition for the company, Flexport, began in 2019, when its IT team began to re-evaluate its SecOps tools, from Global Security Information and Event Management (SIEM) to Endpoint Discovery and Response (EDR). ) for laptops and employee workstations. The motivation for the refresh was twofold: some dissatisfaction with existing tools and a move to AWS cloud infrastructure that required new ways of managing IT security operations.
“Shortly before I arrived, we only had one AWS account. [Then] suddenly we had a dozen, ”said Taylor Merry, who joined Flexport in 2019 and is director of security operations at the freight logistics and supply chain company in San Francisco. “We had a few tools there, but it wasn’t really a good fit for us at our stage and level of maturity.”
Flexport replaced its old SIEM tool with a product from Sumo Logic and added antimalware support with SentinelOne. Along the way, Merry met the founders of Uptycs, a provider of security monitoring and incident response. Soon Uptycs would replace the old EDR tool from Flexport. The company would also start using Uptycs to replace its RedLock cloud security posture management tool (CSPM).
“It’s a great tool, a great platform, but it comes at an enterprise price,” Merry said of RedLock, now part of Palo Alto Networks’ Prisma Cloud suite. “We might be back in a few years when we have a bigger team and need some of the more advanced capabilities that this platform offers, but that just wasn’t right for us. “
From EDR to XDR, via Osquery
Uptycs, founded in 2016 and headquartered in Waltham, Mass., Is an emerging security analytics platform provider with products that address workload protection in the cloud, CSPM, EDR and a newer category. called Extended Detection and Response (XDR). XDR, an extension of EDR, unifies telemetry data across infrastructure, networks, and endpoints and can be used to manage and orchestrate an IT team’s response to security issues, wherever they arise. in the IT field. Other vendors that also offer XDR functionality include Palo Alto Networks; Trend Micro; and Cmd, a startup recently acquired by Elastic Inc.
Initially, Flexport deployed Uptycs for EDR. Part of what drew Merry to the Uptycs approach was his use of Osquery, an open source utility developed by Facebook that collects endpoint monitoring data without requiring a running process on the. local disk of a device, which may slow down the performance of the device for end users. With Osquery, endpoint monitoring data can also be queried using familiar SQL commands by SecOps personnel during a security investigation.
“I was looking to go one step further and have a larger set of endpoint data points that would allow us to investigate things that an anti-malware system won’t be able to detect.” , said Merry.
For example, at one point, software engineers at Flexport were concerned that one of the new SecOps tools might change a host file on their laptops, but Merry’s team could see through Uptycs that the change was due to a Docker process, and not inappropriate activity or activity on the system.
“It goes beyond what an anti-malware tool could have done, as they focus on security events, and we have a bigger view,” Merry said.
This overview now includes keeping an eye on Flexport’s ever-growing AWS infrastructure, which will soon cover approximately 100 separate accounts. Here, Uptycs took over from RedLock as a CSPM tool.
Uptycs uses other utilities to collect data from cloud resources, such as Cloudquery and Kubequery, but the data is presented the same way as Osquery data from endpoints, Merry said.
“We were able to get a very similar Osquery style SQL interface to query our infrastructure and collect data from different things in the environment, like [Elastic Compute Cloud] instances [and] containers, ”he said.“ It gives us good monitoring and alerts against SOC 2 control requirements, as well as things like [Center for Internet Security] AWS Benchmarks. “
Flexport will expand internal user access to Uptycs data once more precise role-based access controls (RBAC) are added in an update scheduled for early November. These controls will allow Merry to securely grant access to Uptycs data beyond security operations and engineering teams to site reliability engineers and product managers.
“I position Uptycs for the future as a layer of visibility,” Merry said. “If I can provide a good [RBAC] by Uptycs, so I can let them see some of this stuff in the different AWS accounts without having to give them an account to log in and poke around. “
Beth Pariseau, Senior Editor at TechTarget, is an award-winning veteran of computer journalism. She can be reached at [email protected] or on Twitter @PariseauTT.