The leading global SOC service provider needed an advanced cloud-native SIEM technology infusion to increase visibility, streamline detection and response, reduce alerts, and catch compromised credentials.
r-tec is a German-based security company with locations in Germany and Bulgaria that provides external security operations center (SOC) services, including a 24/7 incident response (IR) hotline and Managed Detection and Response (MDR) assistance for their customers. r-tec’s Cyber Defense Center (CDC), led by Sebastian Bittig, realized the legacy security information and event management (SIEM) solution they relied on to serve their customers’ security needs wasn’t measuring up. The old system overwhelmed CDC responders and customers with alarms, creating too much work for alert-fatigued analysts.
The r-tec team wanted a cloud-native SIEM solution fueled by intelligent automation for complete visibility and next-gen MDR capabilities. Bittig and his team wanted a state-of-the-art SIEM platform for the company’s environment and customers.
r-tec’s CDC team selected Exabeam SIEM, part of the Exabeam Security Operations Platform, to replace their legacy SIEM solution, and the results were significant. Detection metrics improved, operation times lessened, workloads shrunk, and alarms became manageable for now-grateful analytics professionals. r-tec now enjoys the benefits of a next-gen intelligence and automation-driven SIEM solution for their company and the many customers who rely on them for industry-leading IR and MDR services.
Challenged by legacy SIEM technology and alert volume
r-tec’s CDC team of more than 20 security employees offers 24/7 incident response and MDR assistance to its local German and global customer base. r-tec provides an incident hotline and environment monitoring service where CDC analysts qualify alarms and activate MDR assistance for customers if necessary.
The CDC team was always busy, but they knew it was time to upgrade to the most modern technology available today. Like so many companies, they were dealing with SIEM technology that had quickly become outdated, lacked intelligence capability, and left too much work for the team, which had to continually update rule sets and develop their own content to cover so many new use cases. “With the legacy SIEM solution in place, we couldn’t get enough skilled employees to staff our team, the analysts we had were frustrated and didn’t want to continue working with it, and our service was becoming too expensive for our customers,” explains Bittig.
In another challenge for the CDC team, the legacy SIEM solution resulted in an overwhelming volume of alarms. Analysts suffered from alert fatigue while struggling with time-consuming data deep dives, analysis search queries, and the need to manually construct environment baselines.
Time for a next-gen technology solution
In April 2021, the CDC team knew they couldn’t wait any longer to make significant changes. r-tec’s decision makers began exploring new SIEM options, but not just any threat detection, investigation, and response (TDIR) solution would suffice. Sebastian and the CDC team wanted a state-of-the-art, cloud-based SIEM solution with all the next-gen features of the cloud for both their in-house SOC and SOC services. They also wanted machine learning (ML)-supported intelligence and automation-driven SIEM technology capable of giving complete visibility into log sources, seamlessly integrating with other solution systems, and reducing the number of alarms.
Decreasing customer alarm volume was critical. Bittig explains, “Our customers didn’t want to be bothered by irrelevant alarms. They wanted to concentrate on their business and not have to worry about security, knowing they were in good hands and that we were using the best technology we could find to protect them. If something happens, we can detect it quickly and respond effectively. That’s the most important thing for them.”
Bittig and his CDC team chose the Exabeam Security Operations Platform for the company’s in-house SIEM needs and to stand behind their IR hotline and MDR services. The Exabeam platform was the perfect fit providing automatic timelines, ML models, auto-filled response features, and automation.
“Exabeam gives us an initial alarm followed immediately by context information on the alarm’s severity and timelines if more data is required. The SIEM only pushes forward with serious alerts, so we know if we need to switch into incident response mode,” says Bittig.
The r-tec CDC team sees many ransomware and other incidents resulting from compromised credentials, and this troubling trend factored into r-tec’s choice of Exabeam. Bittig explains, “In 90% of real attacks, we see compromised credentials used, which can be very hard to detect and defend. We chose Exabeam because their tools can successfully detect these kinds of attacks as they use many sources, not just security alerts. Their technology effectively analyzes and baselines normal usage to quickly alert on a compromised user or credentials.”
In the end, boosted metrics and happy analysts
The Exabeam Security Operations Platform started improving company and customer SIEM metrics immediately. Log onboarding times dropped by 70%, so what used to take months with their legacy SIEM solution now takes just days. Phone calls to customers investigating normal and abnormal behavior patterns decreased by 80%, saving everyone loads of time. Since replacing their legacy SIEM solution with Exabeam, r-tec’s mean time to acknowledge (MTA) has shrunk by 50%, now averaging around 9 minutes, and resolution time now averages only 17 minutes.
What does r-tec’s move to Exabeam mean for their SOC service customers? “Many of our incident response hotline customers will call without SIEM or IR solutions, so attacks can be complex and result in extensive damage. If they had our current service with Exabeam, these attacks could be prevented in 80–90% of cases,” according to Bittig.
r-tec’s CDC team happily reports how effectively the Exabeam Security Operations Platform reduces the overall number of alarms. Exabeam’s scoring system surfaces only the most critical alerts, so the total number of alarms is down, as are unnecessary alerts, which have shrunk by 60%. Formerly alert-fatigued analysts are also pleased with r-tec’s decision to replace the legacy SIEM solution with Exabeam, as Bittig explains, “So the analysts aren’t feeling as much fatigue. You cannot measure this quantitatively, but I get feedback from the analysts that working with Exabeam is much more fun compared to working with the legacy SIEM solution.
70% drop in log onboarding times – what used to take months now takes days
60% decrease in false alerts, relieving alert-fatigued analysts
50% improvement in mean time to acknowledge (MTA), now averaging around 9 minutes
80% decline in phone calls to customers investigating normal and abnormal behaviors
"Exabeam gives us an initial alarm followed immediately by context information on the alarm's severity and timelines if more data is required. The SIEM only pushes forward with serious alerts, so we know if we need to switch into incident response mode,"
Head of the Cyber Defense Center | r-tec IT Security
- With Exabeam, r-tec’s mean time to acknowledge (MTA) has shrunk by 50%, now averaging around 9 minutes, and resolution time now averages only 17 minutes.
- Log onboarding times have dropped by 70%, so what used to take months with a legacy SIEM solution now takes just days.
- Exabeam has reduced false alerts by 60%, relieving alert-fatigued analysts.