How Elastic manages cyber security threats

Like any chief information security officer (CISO), Elastic’s Mandy Andress has had to grapple with a fast-changing threat landscape that could affect its business, which provides search, observability and security offerings used by organisations across industries such as government, healthcare and financial services.

The stakes of a cyber breach are high, particularly for customers in regulated industries, which makes Andress’s job all the more crucial to defend its services and assets from nefarious actors.

“From a threat landscape perspective, we focus on understanding the overall activities that are happening, the TTPs [tactics, techniques and procedures] we need to be looking for, and then building our programme to ensure we are defending and getting the best visibility we can for our organisation,” Andress told Computer Weekly on a recent visit to Singapore.

That includes a recent move to implement phishing-resistant multifactor authentication for every employee amid efforts by threat actors to leverage social engineering to access employee credentials and compromise targeted systems. “That’s an example of what we’re looking at holistically that can have a real impact on security,” she said.

Elastic’s security team also conducts regular threat hunting as well as red-teaming exercises, penetration testing and code reviews to ensure nothing falls through the cracks. “My biggest concern as CISO is what am I missing? So, we always have multiple activities to bring in different insights, perspectives and experiences to help us see what’s there and what we could be doing better,” she said.

Being a supplier of a security platform that provides visibility into the attack surface, supports incident response and threat hunting among other security capabilities has been helpful. Andress said her security team ingests about 150TB of data daily to monitor and analyse threats.

“I’ve been in security for a long time and used a number of analytics tools. If I didn’t work for Elastic, I would still be using it as my analytics tool of choice because it can really provide insights quickly on your data,” she added.

Elastic’s security team also works closely with its product development team to make sure its offerings not only meet its own needs but also that of its customers.

“Our development team for the security solution looks at the Elastic security team as a key customer,” Andress said. “The significant scale that we’re operating on – we have about 3,200 employees across 44 countries – helps them to understand the challenges that are happening, down to the analyst’s perspective,” Andress said.

For example, Andress said analysts at Elastic’s security operations centre (SOC) are involved in user experience design reviews to help product teams better understand workflows and the challenges with using a tool, making things more efficient and ensuring the company’s solutions are useful and impactful.

That includes incorporating the latest capabilities such as generative artificial intelligence (GenAI) to ease the workloads of SOC analysts. In June 2023, Elastic introduced an AI assistant powered by a GenAI engine.

“Right now, there’s a lot of time spent in the SOCs just trying to get that context and understand what an alert is trying to tell me and what I need to do about it,” she said. “AI is going to be able to pull all that together almost immediately, and so the focus is on the business impact of an incident, what I need to focus on, and whether I need to take immediate action. That will really enhance the capabilities of SOCs in the future.”

Andress acknowledged that GenAI could benefit threat actors, enabling them to craft the perfect spear-phishing email that could become harder to detect. These threats could evolve into highly adaptive malware that understands a target environment within minutes before adapting itself to compromise the environment.

“As we go from APTs [advanced persistent threats] to the quick strikes, how can we make sure we understand what’s happening much faster and react quickly? It’s going to have to involve the use of LLMs [large language models], pitting AI against AI.”

On what keeps her up at night, Andress said besides making sure her team can defend against AI-mediated threats, it’s also what they don’t have insight into, not taking some action they should be taking, or doing something differently in their defences. “That’s where CISO groups and information sharing comes in to understand what’s happening and what others are doing.”