The Challenge

A large North American hospital system saw rapid increases in its Microsoft Azure Sentinel SIEM expenses primarily due to the escalating growth of security telemetry data. Their primary data sources were Fortinet Firewall logs, Windows Event Logs, Active Directory, Domain Controller, and DNS logs. All of these sources contain vital information about the nature of their security posture, but collectively their increasing volumes were straining their budget with rising costs for Sentinel, data retention, and compute costs. Query performance also began to lag with the growing amount of log data in their SIEM.

Their security team was also being inundated with a large volume of false or insignificant alerts which made prioritizing important alerts and resolving critical incidents very challenging. They worried that this “alert fatigue” could be masking alerts that needed to be addressed right away and may lead to a serious attack or data breach that otherwise could have been prevented. 

The company’s Security Operations Center (SOC) analysts were spending an increasing amount of time managing data and creating makeshift pipelines to try to handle this increase in data. These manual workarounds were not only keeping them from doing the actual work of improving enterprise security, but they also resulted in making difficult decisions about what data to send to Sentinel to be analyzed. Manual sampling and turning off certain data streams altogether when telemetry volumes spiked, helped them reduce the amount of data ingested into Sentinel, but they feared that they might be missing data that could have a big impact on their security policies.

The Solution

Leaders in the SOC team knew they could not hold off the increase in security data for much longer with the rudimentary workarounds they had been employing. The SOC Director tasked his team with finding a smarter, long-term solution. One of the SOC team members reached out to Observo.ai after researching various observability and security data pipeline solutions.

The team ultimately chose Observo.ai for these key features:

• Data Optimization and Reduction
• Dynamic Data Enrichment
• Searchable, Low-cost Data Lake
• Compliance and Sensitive Data Discovery

With Observo.ai, they built a dynamic AI-powered pipeline that included specialized transforms for each of the data types they wanted to ingest. The Smart Summarization feature helped them dramatically reduce data volume without losing any of the insights in the data they sent to Sentinel. They enriched data with pattern-based sentiment analysis to highlight alerts that needed immediate attention to distinguish them from more routine or false positive alerts. They also created a security data lake in low-cost cloud storage to ensure they were in compliance with data retention policies. 

Companies in the healthcare industry also have to contend with regulations like HIPAA, the Health Insurance Portability and Accountability Act, which protects the medical information and history of individuals. The company is also subject to PCI DSS, Payment Card Industry Data Security Standard, and the Personal Information Protection and Electronic Documents Act (PIPEDA). They used Observo.ai features that automatically detect sensitive information even when it shows up in unexpected places like open text fields, voice-to-text summaries, etc.

Results

“Sentinel is critical to securing our organization, but we couldn’t analyze everything we needed for a complete picture. Observo.ai helped cut our costs in half and onboard more high value data." 
Jorge A., Director Security Operations Center

Using the data source-specific algorithms that Observo.ai uses to optimize and reduce data, they were able to initially reduce more than 78% of the total log volume ingested into Sentinel. Because Observo.ai models are always learning and improving, they expect to achieve more than 85% reductions within the first 3 months. These reductions also allowed them to fully onboard all of the data that mattered to them and allowed them to add additional telemetry including CDN and Cloud infrastructure logs.

They reduced the total cost of their Sentinel platform including storage and compute costs by more than 50%. By using the security data lake they were able to retain full fidelity of all of their data for a fraction of the cost and drop data from Sentinel after just a few days. They are confident they can recover any data on-demand by “rehydrating” it from the data lake and routing it back to Sentinel for later analysis. 

They eliminated their alert fatigue by adding sentiment tags to alerts. This allowed their team to prioritize the most important alerts leading to a 35% reduction in mean time to resolve critical incidents.

Their SOC team stopped spending multiple cycles managing their bursting data pipeline and got back to doing things in their actual job description.

Learn More

For more information on how you can save 50% or more on your security and observability costs with the AI-powered observability pipeline, Read the Observo.ai Whitepaper, “Elevating Observability with AI.”