Aledade: Reducing MTTR in the cloud while decreasing SIEM ingestion costs
Share it on:
CASE STUDY
Aledade: Reducing MTTR in the cloud while decreasing SIEM ingestion costs
Industry
Healthcare
Region
United States
Cloud Service Providers
Ready to Start?
Share it on:
By offloading cloud telemetry ingestion from our SIEM into Gem's high-performance data lake, we were able to decrease our SIEM ingestion costs for cloud logs by about 50%.
Tyson Kopcynski, Ciso
The Challenge
As cloud workloads expanded, Aledade needed to expand telemetry collection to provide real-time visibility into threats in their cloud environment
Storing this cloud telemetry in their traditional SIEM solution was becoming increasingly cost-prohibitive, prompting the company to seek alternatives to cut costs
The SecOps team is small, and they needed a way to more effectively triage and investigate cloud alerts without getting bogged down in too much noise
Gem’s Solution
Storing log telemetry using Gem’s data lake rather than its traditional SIEM led to 50% decrease in SIEM costs
Aledade was able to immediately remediate gaps in real-time visibility, doubling its breach readiness in only a few weeks
The company was able to drive down response time to cloud threats from days or hours to minutes, with SOC analysts using Gem to quickly create investigation timelines and build a complete story of the attack, conduct forensic analyses, and contain attacks before they impact operations
Aledade: Caring for Critical Healthcare data
With a network of more than 1.7 million patients in over 37 states, Aledade is the nation’s largest network of independent primary care organizations. The company’s infrastructure is about 80% cloud-based, with a multi-cloud deployment focused in AWS with smaller footprints in GCP and Azure.
For any organization in the healthcare industry, with tight regulations and responsibility for extremely sensitive personal information, a strong security program is a given - Aledade is no exception. But for Aledade, monitoring real-time activity and investigating threats in the cloud was becoming increasingly challenging.
​
Michael Akinbaleye, Senior Security Analyst at Aledade, knew that to increase real-time visibility over the cloud environment, the company needed to monitor a greater number and variety of telemetry sources. But knowing which sources were most important was difficult, and since cloud environments can be extremely verbose, storing all this data in Aledade’s traditional SIEM was becoming cost prohibitive.
Plus, the security team was small: Aledade needed a way to enable its security operations teams to resolve cloud threats faster, and Michael’s team couldn’t afford to expend resources triaging large numbers of low-fidelity alerts.
As we closed more gaps in our visibility, we’d seen a significant increase in SIEM costs associated with AWS logs. We needed a solution to help us achieve a better ROI - we needed to drive down costs, but we also needed to ensure our team would be able to accurately detect and respond to threats in the cloud."
Michael Akinbaleye | Senior Security Analyst, Aledade
Cloud Security ROI: Increasing the Numerator
Aledade deployed Gem into its AWS environment, and immediately upon deployment, Aledade was able to instantly identify logging and visibility blind spots using a comprehensive inventory of all its accounts and cloud resources. Instead of manually tracking which logs it collected and periodically scanning for deviations from policy, Aledade could easily and automatically get a complete picture of real-time visibility. Moreover, the company could map these telemetry sources against the MITRE ATT&CK for Cloud framework, enabling the security operations team to focus on the logs relevant to the attacks that mattered most for its threat model.
Gem’s comprehensive breach readiness assessment provided clear recommendations for Aledade to improve visibility, and actionable next steps allowed for immediate progress. Over the course of its POC with Gem, Aledade more than doubled its coverage for logging and real-time telemetry collection over the cloud environment.
When we detect threats, it’s much easier to investigate. Instead of querying manually in the SIEM, Gem allows us to quickly and easily conduct a forensic analysis and respond to the threat.
Michael Akinbaleye | Senior Security Analyst, Aledade
Cloud Security ROI: Lowering the Denominator
But Aledade also needed to drive down costs. The company’s cloud environment generated hundreds of gigabytes of telemetry every day: the SIEM was just not designed for such high volumes, and its ingestion-based pricing was running up unsustainable bills.
Gem’s pricing, based on the number of resources in the environment rather than ingestion, provided immediate cost savings. With a flexible backend built on a modern data lake, Gem was able to much more effectively accommodate Aledade’s cloud data volume, with customizable retention to meet relevant compliance requirements.
Leveling Up the Existing SecOps Workflow
Offloading cloud telemetry from the SIEM allowed for decreased costs, but Aledade still wanted to preserve a single pane of glass for its SecOps team to work with day-to-day. By integrating with the SIEM, Gem allowed the company to achieve that objective: cloud alerts from Gem, along with alerts from other tools for other parts of the corporate environment, are all fed into the SIEM, where analysts can monitor centrally.
But when cloud threats are detected, the SOC team can pivot into Gem as needed to investigate. Leveraging Gem, responders can quickly and effectively conduct a forensic analysis and respond to the threat, enabling the small security operations team to keep a handle on the entire environment.
