Blocking IOCs at the speed of automation (With OneLogin)
Matthew Petroske, OneLogin's Senior Incident Response Engineer, saw the value of Tines early on and was impressed by the functionality and scalability of the automation platform.
“The analogy I like to use is functional programming; the way that Tines has built the platform means we can just reuse Stories in a very flexible and straightforward fashion, and that makes my life easier, which is what I love. I'm a huge ‘Send to Story’ fan.”
OneLogin was also eager to improve the quality of its security alerts and reduce the number of them in their environment to combat alert fatigue.
“Being a small team, we wanted to make sure we were getting high-quality alerting and have the data an analyst needs,” explains Petroske. “So, when we get alerts, they aren't 90% false positives, and we aren't getting thousands of alerts per day. Being able to leverage a platform to do a first-pass triage analysis of a detection, we can filter out some of those alerts and reduce the number the team has eyes on. Then for the alerts that we manually review, it's about what data an analyst needs. For example, if the detection only has an IP address, we want additional information around its geolocation. Is the IP address on any particular threat list? Are there any actors that are known to use this particular IP address? Once an alert gets reviewed by a human, we want to make sure those initial questions are already answered in the ticket for our analysts to see. With Tines, there's no manually having to look that information up because it's all in a centralized location.”
Tines founder Eoin Hinchy catches up with Matt to talk through how his team use Tines.