Repsol Leverages Gem CDR to Level Up Cloud Security Operations
Share it on:
CASE STUDY
Repsol Leverages Gem CDR to Level Up Cloud Security Operations
Industry
Energy
Region
Global
Cloud Service Providers
Ready to Start?
Share it on:
We collect enormous amounts of telemetry from the cloud, at substantial cost. But actually using that telemetry to model potential attack techniques and build detections for cloud-native threats is a real challenge. We needed to look for a solution to give us the magic to reduce this complexity into just the significant events we needed to focus on, and give us the ROI we needed.
David Corral, Head of Cybersecurity Architecture
With over 24,000 employees and global operations, Madrid-based Repsol is a global multi-energy provider that strives to lead the energy transition. Having committed to the ambitious goal of becoming a net zero emissions company by 2050, Repsol operates in all areas of the energy value chain, producing energy from hydrocarbons (oil and gas exploration and production) and renewable sources (wind, floating wind, photovoltaic solar, hydroelectric), and transforms it into products and services for mobility and homes.
The Challenge
Repsol collected an enormous amount of cloud telemetry, but faced challenges in building the detection use cases they needed
When the company received cloud alerts, it was difficult to understand why the alert was suspicious and build the context needed to investigate
Repsol operated across all three major cloud providers, and struggled to find tooling that could provide parity of capabilities across AWS, Azure, and GCP
Gem’s Solution
Repsol gained a complete mapping of its incident response readiness, closing blind spots in telemetry collection and increasing preparedness for an incident
Repsol leveraged Gem detection to close gaps in its cloud-native threat modeling, providing the comprehensive detection coverage understandable by SOC
By integrating Gem with its existing tools, the company was able to get best-in-class cloud defenses while preserving its existing SecOps workflow
Repsol was relatively early to adopt the cloud, and has been operating in public cloud infrastructure for the past several years. The company has a slight concentration in Azure, but has significant deployments across all three major cloud providers.
The Need for Cloud Detection and Response
Repsol has a robust security organization, and the company already had leading security tools in place when it began working with Gem. Repsol employed a centralized SIEM solution serving as the single-pane-of-glass for the SOC, enabled and integrated many of the native security tools from cloud providers, and leveraged a leading enterprise CSPM tool to ensure that its cloud environment was properly configured and protect against threats.
We collect enormous amounts of telemetry from the cloud, at substantial cost. But actually using that telemetry to model potential attack techniques and build detections for cloud-native threats is a real challenge. We needed to look for a solution to give us the magic to reduce this complexity into just the significant events we needed to focus on, and give us the ROI we needed.
David Corral, Head of Cybersecurity Architecture
But despite this maturity, the company still faced several pain points when it came to real-time cloud security operations. Repsol recognized that cloud-native attack techniques were very different than what the SecOps team was used to on premises. But modeling these attack techniques and writing custom detection rules in the SIEM was very challenging. The company was expending significant resources to collect and store extremely large volumes of cloud telemetry, but extracting value from that data in the form of high-quality threat detection remained difficult. The company had recently embarked on a strategic initiative to improve its cloud monitoring infrastructure, and recognized the need for new tooling to help address these pain points.
Gem Detection Provides Immediate Value from Cloud Telemetry
This is precisely the problem that Gem addressed. Gem’s threat detection functionality unlocked the value in Repsol’s security telemetry. Instead of constantly trying to stay up to date on the latest cloud-native attack tactics and modeling threat detection use cases for all of these, the Repsol security operations team could rest assured knowing that Gem’s continuously-updating library of hundreds of pre-built detection rules provided the coverage they needed. Having this coverage out-of-the-box saved the company time and resources compared to building and maintaining custom rules in their SIEM solution.
The biggest differentiation for Gem is the context. When we get alerts in Gem, we have the context to understand the threat. We know what behavior patterns are for the entities involved, and we can tell what’s normal behavior, what’s unusual, and what’s suspicious. We don’t get that from other tools.
David Corral Morgadez, Head of Cybersecurity Architecture
Moreover, Repsol enjoyed significantly higher-fidelity alerts compared to their existing tools due to Gem’s cloud-native behavioral analytics layer. Behavioral analytics lowered noise and ensured that Repsol would only be alerted when potential malicious behavior was unusual enough to merit suspicion.
Gem detection significantly reduced noise in our alerting. For any given threat, our previous tooling might have either missed it entirely or given us 15 to 20 duplicate alerts that make it much more difficult to triage the threat. With Gem, we get the one, high-fidelity alert that we need.
Juan Carlos García Sánchez, Cyber Threat Detection Manager
Response
Arguably most important, though, was that Gem’s platform provided not just contextless alerts. When the Repsol team got a threat notification from Gem, they saw full cloud-native context on all entities involved.
It’s extremely useful to be able to see the entire timeline of the incident. We can see all the entities involved in the threat, which helps us trace the whole attack and understand it faster.
Estefanía Eiras Mayoral, Cloud Security Architect
The platform condensed thousands of individual cloud events into an easily-understandable storyline of a threat. Automated investigation and analysis functionality made security analysts faster and lowered mean time to respond to cloud threats.
CDR, Integrated Into the Workflow
​
Gem’s technology provided Repsol with much-needed functionality. But the company is a multinational enterprise with pre-existing processes and tooling, and Repsol required Gem to fit into its existing security operations workflow. Repsol needed best-in-class solutions, but didn’t want its security operations teams to have to manage yet another open tab. Gem’s platform provided the adaptability needed to fit this model. Gem’s integration-first approach connected to Repsol’s existing security operations infrastructure, allowing the platform to provide a seamless experience for the security operations team. For example, Gem integrated with Repsol’s existing SIEM solution, allowing analysts to preserve their single pane of glass for their entire IT ecosystem.
Gem integrated seamlessly into our environment. Our analysts can still leverage their existing workflows, training, and expertise. Gem works within that existing architecture to solve the cloud pain points which used to be so challenging.
Javier Garcia Quintela, CISO
When analysts received an alert, they could see it and perform any preliminary investigation directly within the SIEM. But when the alert needed deeper investigation, analysts could pivot to Gem’s interface to get cloud-native triage and context functionality. Instead of running query after query in their general-purpose SIEM, analysts could significantly accelerate the response process with Gem’s purpose-built cloud tooling.
Impact and Outcomes
​
Repsol used Gem to close its cloud detection and response gaps, getting increased value out of its collection of cloud telemetry. With Gem, Repsol could get complete threat coverage out-of-the-box, lowering the burden on its monitoring team to build detection use cases manually. High-fidelity alerts and low noise allowed Repsol analysts to focus their efforts on the most important threats, and built-in context enabled the company to get to the bottom of alerts faster. Through Gem, Repsol was able to bring its existing security operations workflow into the cloud era.
