How this ecommerce platform slashed security log costs with Elastic - and democratised queries
Elastic dashboards can also be seen on screens across the business, with senior leadership interested in vulnerability reports, security incidents, and how quickly Kennedy’s team has been able to respond to them.
Data is critical for security leaders. But few want to be considered a “cost centre” and told by their CFO or CIO that storing it costs too much.
eCommerce provider THG Ingenuity receives a LOT of data from both customers and the signals generated by its expansive technology estate.
The company provides technology to support the online operations of a wide range of retailers including Holland & Barrett and The Range.
The analysis of data flowing in from across this ecosystem is critical to ensuring resilience and security – for the company and its customers.
Deputy Chief Security Officer Ryan Kennedy looks after its engineering and security operations teams. He told The Stack that “we've got data centers on-premises, and we use all three of the major cloud providers.”
He added: “Because we've got technology in so many different places, we need to make sure that those systems are built to best practices.”
He also needs granular insight into how those systems are performing.
For Kennedy, one of the many things that stand out about Elastic’s integrated security proposition is that this data can easily be stored in tiers that bring down cost fast compared to alternatives. As he puts it:
“In security, the size and volume of logs is always growing, so being able to store that for a reasonable timeframe is an absolute necessity.
“Elastic, with its different tiers of storage and searchable snapshots you can use, has really saved us massively on the amount of space, and therefore the amount of spend, that you have to do to store those rods.”
THG Ingenuity, he explains, has slashed storage costs by 60% through intelligent use of Elastic data storage tiers for content and time-series data.
“For data that we are not going to be searching all the time, such as data that has already had queries run on it when it first hit the platform, but is now stored for long-term compliance reasons and for analysts to go search back on if an incident happens, we ‘snapshot’ it,” says Kennedy.
“Moving data to ‘frozen’ storage reduces our dependency on more expensive storage hardware. It means it's slightly slower to come back, but it's hardly ever touched unless we really need it. It has saved us massively on the amount of space and therefore the cost required to store logs.”
The Cloud Security Posture Management (CSPM) feature in Elastic Security, meanwhile, has proved invaluable in ensuring all of the systems in Ingenuity’s IT environment are built to best practices. The module discovers and evaluates the services in a cloud environment against configuration security guidelines to help identify and remediate risks that could undermine the confidentiality, integrity and availability of cloud data.
“CSPM in Elastic allows us to have real insight into where things haven't maybe been built to the best security standards,” says Kennedy.
“It also can alarm us to new things being built in the future that aren't quite following the practices we would like to instill within our engineers.
"We can provide that data to the actual owners of those cloud accounts, so they can monitor themselves what is going on within their accounts.
We've found it really useful. All of my teams use Elastic. It's the first place they go to when we want to investigate an incident, do threat detection or hunting. It’s the centre of how security operates at THG Ingenuity.
"We gather data from all over our global estate, inputting that into Elastic and then using the pre-built rules and analytics that Elastic Security gives us to detect, react and mitigate threats, as well as our own rules on top of it for our own internal context that we're working with.”
Security analytics insights are, of course, invaluable for security operations. But Elastic dashboards can also be seen on screens across the THG Ingenuity business. That includes senior leadership who are interested in vulnerability reports, what types of security incidents have occurred, and how quickly Kennedy’s team have been able to respond to them.
THG Ingenuity’s engineers, meanwhile, often need to look across multiple data sets for troubleshooting what they're doing with their applications.
Elastic Common Schema allows them to easily search across multiple different data sources. And as Elastic is used across the business, the security team can respond to requests in a language other teams understand.
“If you're looking for an IP address or a domain that might have been connected to a command and control from part of a threat actor's botnet, you can literally search once everywhere and that's really useful for the security team as well as for other teams,” Kennedy adds.
“With Elastic we can send other teams the query we ran to find something out, and they can understand that query. Having that common language is really useful and really good for cross communication.”
