Thirty Madison Accelerates Cloud Detection and Response with Gem
Share it on:
CASE STUDY
Thirty Madison Accelerates Cloud Detection and Response with Gem
Industry
Digital Health
Region
USA
Cloud Service Providers
Ready to Start?
Share it on:
We had to build all of our detection on AWS and Azure from scratch. It was too manual - we needed to increase our coverage faster.
Justin Berman, CISO
Thirty Madison is a leading online pharmacy and healthcare provider. Through its brands Keeps, Cove, Nurx, Picnic, and Facet, the company provides over 800,000 patients with prescriptions, care, and treatment for everything from hair loss to allergies. The company chose to partner with Gem to accelerate its cloud detection and response program. With Gem's out-of-the-box CDR, Thirty Madison rapidly addressed cloud visibility and detection blindspots, and enabled automated triage to reduce Mean Time to Respond (MTTR) to cloud threats.
The Challenge
Thirty Madison wanted to improve its cloud detection coverage and automate manual processes to reduce Mean Time to Respond (MTTR)
The company used leading cloud security tools, but still had incomplete visibility over their cloud environment, and triaging cloud alerts in the SIEM was too manual and too time consuming
As the security operations team spent more time tuning detection rules or triaging minor alerts, they were left with less time to focus on strategic initiatives and a growing backlog of detection use cases left unaddressed
Gem’s Solution
Thirty Madison eliminated cloud telemetry blindspots with automated breach readiness monitoring, gaining real-time visibility over what was happening in their cloud environment
The firm rolled out instant protection for hundreds of cloud-native TTPs, enabling security analysts to stop spending days building and fine-tuning SIEM alerts and eliminating their detection backlog
The security team reduced MTTR with intuitive triage and response functionality, allowing a small team to better control a large, complicated environment
Small Security Team, Big Responsibilities
Thirty Madison has been cloud-native since its inception, and runs its business-critical operations primarily in AWS. The cloud-first architecture enables rapid development, but the sensitive nature of healthcare data means that the company places high emphasis on security. The security operations team is comfortable and familiar in cloud-native environments, and already uses best-in-class security tools for the cloud, including leading CNAPP and SIEM solutions. The company also uses native AWS security tooling, including AWS GuardDuty, to help detect threats in their environment.
But over the past few years, the company’s rapid growth (including through acquisitions) has expanded the security team’s workload and responsibilities. Thirty Madison’s security team felt like it had incomplete monitoring. Alec Randazzo, a Senior Security Engineer II at Thirty Madison, led a team developing and fine-tuning custom cloud detection rules in-house. Though the detections Alec and his team created generated high-quality alerts for the company, the process was time consuming. The security engineers had a lengthy backlog of detection rules to implement, which is why Thirty Madison began working with Gem to close the monitoring gaps faster.
We had to build all of our detection on AWS and Azure from scratch. It was too manual - we needed to increase our coverage faster.
Justin Berman, CISO
Eliminating blindspots through incident readiness
As a first step, within minutes of deploying, Thirty Madison used Gem to create a comprehensive asset inventory, assessing their readiness to respond to a cloud attack. Gem quickly identified visibility gaps: assets where telemetry necessary to detect an attack was not being collected.
Gem then provided concrete recommendations about which additional telemetry to enable to maximize detection coverage. To make these recommendations actionable, Gem provided auto-generated Terraform snippets to turn on telemetry collection. Thirty Madison’s security operations team was able to simply download a CSV file containing the relevant assets and the associated Terraform scripts and give it to the DevOps team to more efficiently remediate the issues.
We could see specifically where we had gaps in our coverage - we could bring that information directly to our infrastructure team and work together to close them more effectively.
Alec Randazzo, Senior Security Engineer II
Complete coverage in a fraction of the time
Thirty Madison also used Gem to reduce its backlog of detection use cases. Gem’s unique approach to cloud detection, combining cloud-native TTPs and behavioral analytics, provided comprehensive coverage within minutes of integration. Detection engineering, which previously required significant manual effort and tuning on behalf of the operations team, was significantly accelerated.
We had a big backlog of detection use cases we wanted to build in our SIEM, and Gem allowed us to clear that backlog much faster. Plus, Gem detected threats that none of our other tools could find, and the alerts were all high fidelity - the false positive rate was very low.
Alec Randazzo, Senior Security Engineer II
Thirty Madison also noticed improvements in the quality of alerts from Gem compared to existing solutions. First, the breadth of TTPs in Gem’s detection engine allowed the platform to find suspicious events that had simply been missed by the company’s other security tools. But second, Gem’s behavioral analytics layer ensured that noise was kept to a minimum, and the overall alert volume was reduced.
Context to triage in minutes, not hours
When alerts did trigger, Thirty Madison used Gem to significantly reduce the manual workload associated with triage. Prior to Gem, the SecOps team had to run numerous SIEM queries to gather the required data to contextualize their alerts. Gem provided all this context by default with every alert, aggregating information from numerous sources across the cloud environment in a single timeline and table view for efficient analysis.
I can now answer questions quickly without having to go back and write queries in the SIEM. When we get alerts, the context is there already - it makes the whole triage process much faster.
Alec Randazzo, Senior Security Engineer II
Gem automation allowed engineers to stop spending so much time on collecting data and more time on what mattered: assessing the alerts and determining the appropriate response.
Gem’s Impact
​
Thirty Madison’s partnership with Gem started on AWS, but the company is expanding Gem’s coverage into its Azure accounts as well. Gem acted as a force multiplier for the company’s cloud security operations, enabling a small team to better manage its expanding cloud environment. With continuous visibility, comprehensive detection, and automated triage, Gem was able to significantly increase analyst effectiveness and reduce MTTR.
Gem let us rapidly improve the quality and coverage of our detection and response in cloud systems.
