Logistics firm refreshes SecOps, replaces EDR with XDR

A refresh of SecOps tools led Flexport to Uptycs, enabling the firm to centralize security monitoring and incident response for endpoints and cloud resources.

A freight logistics company undergoing digital transformation overhauled its SecOps tools, which led it to embrace an extended detection and response tool for security monitoring and incident response.

This transition for the company, Flexport, began in 2019, when its IT team started to reassess its SecOps tools, from overall security information and event management (SIEM) to endpoint detection and response (EDR) for employee laptops and workstations. The motivation for the refresh was twofold: some dissatisfaction with existing tools and a move to AWS cloud infrastructure that called for new ways of managing IT security operations.

"Shortly before I joined, we only had a single AWS account. [Then] suddenly, we had a dozen," said Taylor Merry, who joined Flexport in 2019 and is director of security operations at the freight logistics and supply chain company in San Francisco. "We had some tooling there, but it wasn't really a good fit for us at our stage and maturity level."

Flexport replaced its previous SIEM tool with a product from Sumo Logic and added antimalware support with SentinelOne. Along the way, Merry met the founders of a security monitoring and incident response vendor called Uptycs. Soon, Uptycs would take the place of Flexport's previous EDR tool. The firm would also begin using Uptycs to replace its RedLock cloud security posture management (CSPM) tool.

"It's a great tool, a great platform, but it's coming with an enterprise price tag," Merry said of RedLock, now part of Palo Alto Networks' Prisma Cloud suite. "We might be back in a couple of years when we have a bigger team and the need for some of the more advanced capabilities that that platform provides, but it just wasn't a good fit for us."

Taylor MerryTaylor Merry

From EDR to XDR, via Osquery

Uptycs, founded in 2016 and based in Waltham, Mass., is an emerging security analytics platform vendor with products that address cloud workload protection, CSPM, EDR and a newer category called extended detection and response (XDR). XDR, an extension of EDR, unifies telemetry data from infrastructure, networks and endpoints and can be used to manage and orchestrate an IT team's response to security issues, wherever they happen in the IT domain. Other vendors also offering XDR features include Palo Alto Networks; Trend Micro; and Cmd, a startup recently acquired by Elastic Inc.

Initially, Flexport deployed Uptycs for EDR. Part of what attracted Merry to Uptycs' approach was its use of Osquery, an open source utility developed at Facebook that collects endpoint monitoring data without requiring a running process on a device's local disk, which can slow device performance for end users. With Osquery, endpoint monitoring data can also be searched using familiar SQL commands by SecOps staff during a security investigation.

"I was looking to go deeper and have a broader set of data points for endpoints that would allow us to investigate things an antimalware system isn't going to be able to detect," Merry said.

For example, at one point, Flexport's software engineers were concerned that one of the new SecOps tools was altering a host file on their laptops, but Merry's team was able to see via Uptycs that the change was due to a Docker process, not any malicious or inappropriate activity on the system.

"It goes beyond what an antimalware tool would've been able to do, because they're focused in on security events, and we're thinking bigger picture," Merry said.

This bigger picture now includes keeping tabs on Flexport's ever-growing AWS infrastructure, which will soon span about 100 separate accounts. Here, Uptycs has taken over for RedLock as a CSPM tool.

SecOps and IR efficiency
SecOps teams must provide efficient incident response.

Uptycs uses other utilities to gather data from cloud resources, such as Cloudquery and Kubequery, but the data is presented in a similar way to Osquery data from endpoints, Merry said.

"We were able to get a very similar Osquery-style SQL interface to query our infrastructure and collect data off of different things in the environment, like [Elastic Compute Cloud] instances [and] containers," he said. "It's giving us good monitoring and alerting against SOC 2 control requirements, as well as things like [Center for Internet Security] AWS benchmarks."

Flexport will broaden internal users' access to Uptycs data once more precise role-based access controls (RBACs) are added in an update slated for early November. These controls will mean Merry can safely grant access to Uptycs data beyond security operations and engineering teams to site reliability engineers and product managers.

"I'm positioning Uptycs for the future as a visibility layer," Merry said. "If I can provide good [RBAC] by Uptycs, then I can let them see some of this stuff in the various AWS accounts without having to give them an account to log in and poke around."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center