Allan Gray is a leading South African financial services company, providing investment management and financial advisory services for customers. Historically, the company’s infrastructure has been largely on-premises. Over the past few years, however, Allan Gray has been experimenting with shifting some workloads to the cloud, and enjoyed the advantages in speed and flexibility that the cloud offers. In 2022, the company decided to accelerate its cloud migration and move production infrastructure from its on-prem environment into AWS.
Allan Gray has accelerated its cloud migration, moving critical workloads from its on-premises environment into AWS
Allan Gray’s existing security toolset was built for on-premises, and did not provide complete real-time visibility over their cloud infrastructure
Allan Gray is highly regulated and has strong security controls, and wanted to ensure its cloud environment met the same security standards as its on-premises environment. The company needed additional tooling to respond faster in the event of an attack
Allan Gray used Gem to immediately identify monitoring blind spots, with actionable recommendations for achieving optimal telemetry coverage
Allan Gray rolled out continuous, real-time protection for hundreds of cloud-native attacker tactics, techniques, and procedures (TTPs) in minutes, gaining complete cloud threat coverage out-of-the-box
Using Gem’s intuitive triage and investigation interface, Allan Gray could drive down mean time to respond to cloud alerts and better secure its cloud migration
Allan Gray: Moving Critical Workloads to Cloud
As Allan Gray's cloud migration accelerated, the security team had serious concerns. Though their workflow was highly effective on-premise, their security tooling was not built for the cloud, and could not be easily adapted to cloud-native use cases. On premises, the security team had visibility and control over all the information flowing through the network. In an entirely new cloud environment, however, the team had access to enormous amounts of telemetry, but it was neither practical nor affordable to collect it all. The telemetry they did collect was contextless, and it was difficult for the team to build practical use cases for response.
Facing these problems, the security team knew they would need new tooling. The company already used a leading SIEM solution to aggregate their security information and build detections and alerting. Though Allan Gray expected this SIEM to continue to act as their primary pane of glass, it was not built for cloud use cases. Streaming large amounts of cloud logs into the SIEM was cost-prohibitive, and manually building detection engineering use cases took up too much time. The company needed new tools that could support cloud cost-effectively out-of-the-box.
With our existing SIEM, we had to build everything ourselves. Ingesting cloud logs and maintaining custom use cases took up too much of our team’s time and wasn’t cost effective. We needed a new approach. Werner Lunow, CISO
The company’s first new investment was a CNAPP tool to help them gain some visibility over their configuration and cloud posture, and the company enabled AWS-native tools such as GuardDuty. But challenges remained. Though these tools had their purpose, the security team still felt they lacked visibility into threats happening in real time. Even when they did get alerts, those alerts were often contextless, and it was difficult to know where to look to triage, investigate, and respond.
Complete Real-Time Visibility
Gem’s solution was uniquely positioned to solve these challenges. Minutes after deploying Gem, Allan Gray was able to identify critical blindspots in telemetry collection, and benchmark their visibility against the MITRE ATT&CK framework.
One of the key benefits was being able to understand what logging we needed and what we didn’t, then getting the continuous monitoring to make sure our collection was consistent. Werner Lunow, CISO
For example, Allan Gray wanted to ensure that VPC flow logs were collected on all production VPCs before migration of critical workloads. Using Gem, Allan Gray was able to immediately identify all VPCs for which logs were not collected despite organizational policy to the contrary.
Out-of-the-box Detection and Actionable Investigation
Allan Gray leveraged Gem’s collection of cloud-native TTPs and cloud entity behavioral analytics to deploy comprehensive threat detection coverage in minutes, enabling the company to catch live threats that its other tools were not designed to detect. Moreover, Gem’s out-of-the-box coverage enabled Allan Gray to reduce time spent on custom detection engineering and redirect team resources to strategic initiatives like red teaming.
When alerts did trigger, Allan Gray used Gem to consolidate context and streamline its triage and investigation processes, accelerating response time to cloud threats.
We used to find that alerts were missing information that we needed for context. With Gem, we get all the information we need in one place, so we can dig in and resolve alerts faster. Raees Fataar, Security Analyst
For example, Allan Gray was able to use Gem’s threat timelines to quickly expand its view of an alert and gather broader context. Rather than only seeing a single event that triggered an alert, Allan Gray could see all the relevant users and entities associated with a threat in the time leading up to and after the suspicious event. As the company migrated to the cloud, this context enabled significantly faster alert resolution as the company aligned on best practices.
As we were early in our cloud migration, people were still learning the best practices. We could get the full picture of all the users involved in an alert and easily follow up with them to explain what had happened and how best to close the gaps. Raees Fataar, Security Analyst
Impact and Outcomes
As Allan Gray migrated to cloud, Gem enabled the company to ensure it maintained the same security standards it had on premises in the new cloud environment. Allan Gray achieved real-time visibility into all events happening in its cloud environment, and continuous monitoring ensured that the company was always prepared for an incident. Gem’s out-of-the-box detection enabled Allan Gray to deploy complete coverage without expending significant resources on custom detection engineering. Actionable response enabled Allan Gray to reduce its mean time to remediate threats, giving the security team the confidence and assurance that if and when they are attacked in the cloud, they will be prepared to stop the threat.