Introduction

This case study delves into how a Query customer implemented a security data bridge-based solution, transforming their approach to data management and security analysis.

The Organization’s Prevailing Challenges

Limited visibility of traditional SIEM solutions

This large enterprise was faced with challenges regarding data visibility. Analysts needed to use more and more new data sources to improve the intelligence and fidelity of their investigations, but these new data sources were rarely brought into the system due to challenges with access and storage. The lack of visibility was causing an incomplete picture that posed a significant risk, as undetected threats could lead to significant security breaches.

Data Access Challenges

The organization has made attempts to centralize data into a data lake to make it easier to utilize the data effectively. They had to navigate through SQL and developer-centric tools, complicating the investigation process. Analysts were often forced to leave steps incomplete.

Onboarding any new data source into the data lake was an R&D project, requiring data engineering resources from outside the security team.

The Query Alternative: Implement a Data Bridge

The organization began looking for alternative approaches and found Query. The organization agreed to a POC with the goal of creating a security data bridge. This would allow them to continue using their current SIEM while gaining access to additional data sources. 

Onboarding and Visibility Experience

A security data bridge was created with Query which extended the customer’s visibility into their endpoint and application data. Analysts were easily able to tap into a broader range of data sources, gaining insights that were previously time-consuming to produce. This expanded visibility was found to be crucial in identifying and investigating potential security threats.

Adding new data sources has now become a more straightforward process for the team, as it takes only a few minutes to enable API access. Gone are the times when it took days or weeks to add sources or create pipelines. Query lets them onboard data on-demand and just-in-time to support post-incident forensic use-cases. This agility has enabled the organization to continually extend their visibility, and they plan to integrate more data sources using Query.

Data Pipeline Simplification

One of the most notable improvements post-implementation is the simplification of the data pipeline. With Query, the pipeline has reduced centralization, movement and normalization (ETL), and ingestion of data. Access has become in-place via APIs. The bridge implementation has made access to remote data transparent and efficient, and is expected to reduce the time and resources that were previously dedicated to these tasks.

Analyst Value and Acceptance

The Query implementation has directly impacted the work of security analysts. They are able to use their search bar to access all security data, whether from their existing SIEM indexes or from the security bridge. The success story of this customer serves as a blueprint for others. Contact Query for further details and references.