Dramatically reduced SIEM costs due to using ExtraHop as the primary data source for security analytics
Real-time security response thanks to rapid, high fidelity insight and an analytics-first SecOps workflow
Complete visibility across all systems and devices with a streamlined method for drilling into threats
The Beginning
A leading health solutions provider aims to cut costs while improving their IT security posture
For Accolade, providing top-notch service is a top priority. Indeed, it's what the company is known for. Accolade customers experience industry-leading engagement levels, satisfaction scores unseen in healthcare, better clinical outcomes and cost savings of more than 10 percent. A major component of keeping customers happy is ensuring the security of their data.
When Mike Sheward joined Accolade in early 2016, he immediately saw an opportunity to streamline costs and improve the company's IT security posture. At the time, Accolade was using a managed security services provider (MSSP), which had deployed a commercial SIEM offering.
Between the costs of the MSSP and the commercial SIEM, the company was spending approximately $200,000 a year. The team also had extremely limited visibility into the commercial SIEM solution, and depended entirely on the MSSP to monitor the security of their environment.
With ExtraHop and the SIEM we've built around it, our security guys have — at most — two windows they need to look at. One tells them what's going on, the other one tells them what has gone down and how to fix it.
Mike Sheward
Senior Director of Information Security,
Accolade
The Transformation
Time for a security solution that can bring back control and scale with the business
Working with his security team, Sheward set out to build a security solution that would better serve the needs of the business by keeping costs down and bringing control back in-house. The result of that effort is FortifyHQ, a custom-built SIEM solution hosted on AWS.
FortifyHQ uses wire data from ExtraHop, log data from AWS CloudWatch and CloudTrail, and a third-party authentication platform to provide both real-time visibility and forensic analysis to keep Accolade and its customers ahead of emerging threat vectors. With FortifyHQ in place, Sheward and his team were able to terminate the contract with the MSSP and the commercial SIEM.
By triggering a precise packet capture for suspicious events, and then sending that data to an open-source IDS solution using the ExtraHop Open Data Stream (ODS), Sheward and his team now have real-time intrusion alerting - and the digital evidence needed to investigate incidents - without requiring extensive customization.
The Outcome
Out-of-the-box threat intelligence empowers in-house security analysts
Accolade can now answer questions like, "Why are non-Accolade IPs trying to access the Admin page?" or "Why are non-US IPs trying to login when all of our customers in the US?" with the data they need to drill down to the source, get the answer, and protect their assets.
"With wire data from ExtraHop, you don't have to wait for the event to happen, get written into the log file system, and then analyzed," says Sheward. "You see the traffic as it's hitting the wire, not when it's hitting the end-points. If you put an ExtraHop appliance in front of the firewall, you can even see what is hitting you versus what is actually getting through. It's incredibly powerful. We still use log files, but in a very limited way."
Before implementing ExtraHop and the FortifyHQ solution, the security team at Accolade had limited visibility into what was happening in their own environment. With the custom-built SIEM, not only do they have complete visibility across all systems and devices, they're only four clicks away from any incident.