Global real estate investment firm
chooses Expel for 24x7 security monitoring
Ivanhoé Cambridge shrinks alert-to-fix time to minutes and saves $150K by optimizing security signal
Ivanhoé Cambridge is a global real estate investment firm owned by a large pension fund in Quebec. It develops and invests in high-quality real estate properties, projects and companies that shape the urban fabric of cities around the world. The company manages approximately $60 billion in real estate assets for the pension fund, including office buildings and shopping malls.
Every provider makes big claims but they can’t back them up. With Expel, I have access to Expel Workbench™ and can log in any time I want to see what analysts are working on, how they’re handling a particular alert and what’s in the queue”
– Patrick Gilbert, Head of security and Senior IT Security Manager
Head of security and Senior IT Security Manager, Patrick Gilbert, manages a team of analysts at Ivanhoé Cambridge. His analysts are responsible for managing the company’s high volume of security alerts. He described the process of ingesting and reviewing alerts as “gruesome.” Worried about potential team turnover, he started to look for solutions that could improve their approach.
“Most of the alerts that surfaced required the team to investigate after regular business hours,” Patrick said. “I was worried about alert fatigue with my team, which was a major motivating factor in our decision to find a SOC-as-a-service provider.”
Patrick also wanted to free up his team to focus on more strategic security initiatives that were unique to Ivanhoé’s business, like creating an insider risk management model.
There were several attributes Patrick was looking for in a security partner: he wanted a service that could easily integrate with his existing tech stack, demonstrate value to both him and to his fellow executives and do all of that while automating the response to millions of alerts.
He and his team evaluated multiple managed detection and response (MDR) providers, and quickly discovered that Expel was the only tech-agnostic provider that could work with more than 50 different security tools and cloud services. He was shocked to find that other vendors all required a rip and replace of his endpoint and network security tools.
Expel’s transparency immediately piqued his interest, which was helpful not only for Patrick’s team but also for communicating Expel’s value to fellow executives and the company’s board of directors.
“Every provider makes big claims but they can’t back them up. With Expel, I have access to Expel Workbench™ and can log in any time I want to see what analysts are working on, how they’re handling a particular alert and what’s in the queue,” he said. “I also keep our shared Slack channel up on one of my computer monitors at all times. It’s easy for me to ping the Expel team and get updates from them.”
Beyond the ability to watch an investigation unfold as it happens, Patrick saw value in being able to easily export information about Expel’s investigations and present those insights to other executives and the board of directors.
“My peers at the executive level and our board of directors aren’t solely focused on security, so the easy-to-understand reports in Expel Workbench help me clearly tell the story and show the continuous value we get from working with Expel,” he said.
Expel helped us optimize our security signal, which saved us about $150,000 a year. Now we’re using that money to accelerate several other strategic security initiatives.”
– Patrick Gilbert, Head of security and Senior IT Security Manager
How Expel helped
Expel turned on its 24x7 monitoring service quickly for Ivanhoé Cambridge, connecting to tech like endpoint detection and response (EDR), network and SIEM tools, along with cloud platforms and SaaS apps like Amazon Web Services (AWS), Microsoft Azure and Office 365.
Patrick recalls the process being “painless.”
“Expel’s pricing model is so straightforward that I knew exactly what the service would cost me once we got all our tech connected,” said Patrick.
“It was also incredibly helpful for me to see Expel’s roadmap before we purchased the service; knowing what integrations they’re building and what will be available in the future helps me make decisions about the new tech I decide to purchase.”
Patrick and his team quickly noticed the benefits of working with Expel – cost savings, automation that saved his team time, rapid communication and a strong partnership between the Expel team and his own.
Benefits of partnering with Expel
- Cost savings
- Automation that drastically reduces time-to-fix
- Rapid communication
- A strong partnership between security teams
Patrick realized significant cost savings by working with Expel by refining the org’s security signal and eliminating redundancies in tech. For example, his team turned on Windows Defender for Endpoint at the recommendation of Expel, which allowed Ivanhoé Cambridge to get rid of a more expensive endpoint service that was providing less value to their investigations.
“Expel helped us optimize our security signal, which saved us about $150,000 a year. Now we’re using that money to accelerate several other strategic security initiatives,” Patrick said.
Thanks to Expel’s native integrations with AWS, Patrick also avoided purchasing another piece of technology to synthesize his Amazon GuardDuty alerts. Instead, the Expel team ingested Ivanhoé Cambridge’s AWS security signal right into Expel Workbench.
Automation that drastically reduces time-to-fix
Patrick is impressed with Expel’s ability to quickly triage and respond to millions of security alerts across Ivanhoé’s tech stack.
“It’s all about finding the needle in the haystack, which is incredibly time consuming without the right resources. Expel built a platform that ingests alerts across our vast network, evaluates and weeds out millions of false positives, and then automates the investigative steps so Expel analysts can recommend the right next actions to our team. In today’s threat landscape, with ransomware in particular, reaction time from alert to remediation needs to be measured in minutes. That’s what Expel has done for us; their approach just makes sense.
Patrick finds that Expel’s quick communication on the status of investigations – and their overall alert-to-fix time – are head and shoulders above other vendors.
He says his peer CISOs with other SOC providers report that incidents can take hours and multiple emails to remedy. Patrick says Expel’s time to remedy is a matter of minutes – thanks in part to nearly real-time Slack communication.
He also appreciates Expel’s ability to quickly triage and tune alerts.
“There are hundreds of investigations and each one takes our team at least an hour – Expel’s automations are [crunching] all of that for us so their mean time from alert to remediation is a matter of minutes. They get the signal-to-noise ratio just right, and filter out the false positives so that my team isn’t spending valuable time on something that’s not a concern.”
A strong partnership between security teams
Patrick finds immense value in the partnership between Expel’s analysts and his own team.
“Expel consistently provides my analysts with the context they need about alerts and investigations. They explain what happened, why they made each decision, how they’re remediating something and how we can prevent it in the future. We not only get to ‘done’ faster thanks to their proactive and collaborative approach, but it also strengthens our confidence in the Expel team.”
Additionally, he noted that he’s able to get his new hires up to speed faster thanks to the strong working relationship with Expel.
Patrick predicts that Expel’s approach could set an industry standard.
“Expel’s model is basically the next big thing, but the industry doesn’t know it yet. In-house cybersecurity is still a buzzword because the techies still love it and love to do it themselves. But the novelty is going to fade,” he remarked.
“Think about home alarm systems now – nobody tries to build their own. They pay a provider to come in and install their technology. If something bad happens, the owner is notified. We’re going to see the same shift in cybersecurity,” Patrick concluded.