USAA, Security Analytics, and a Journey to the Elastic Stack

Is your company getting the most out of its SIEM and log management solutions? Allow us to share a story with a happy ending. It's about a company that needed the best way to analyze their ever-growing data, in order to protect personal information and other sensitive files. The analysts now enjoy faster, easier data management, while predicting and averting cyber threats all along the way … all while USAA saves money.

USAA is a financial institution serving the U.S. military community, and Neelsen "Nelly" Cyrus has been a part of that institution for almost two decades. As a senior security analyst in the company's Cyber Threat Operations Center (CTOC), his primary focus is infrastructure support. At Elastic{ON}¹⁶ in San Francisco, we were honored to host Nelly and five other attendees from the USAA CTOC.

USAA's 93-year history stretches back to a group of U.S. Army officers who saw a need for auto insurance when other insurers had classified military officers as "high risk." Today, USAA employs over 26,000 people, boasts a multi-billion dollar annual net income, and has been consistently named one of the 100 Best Companies to Work For over the past 11 years by Fortune.

At Elastic{ON}¹⁶, Nelly presented on USAA's transition to the Elastic Stack from a security information and event management (SIEM) solution — a transition that saved the company money and improved productivity among the company's security analysts.

The presentation included a recipe for "hunting" — the practice of information security analysts proactively seeking out malicious activity and vulnerabilities before harm is done. Hunters have to think like attackers and block off routes before they can be exploited.

As the volume of these attacks is ever-increasing, analysts like Nelly and the team at USAA CTOC rely on technology like the Elastic Stack for effective logging and constant monitoring for malicious activity.

USAA traditionally invested in large enterprise solutions. Advocating the Elastic Stack, an open source product, up the chain of command for use at the size and scale needed by the CTOC team was challenging. However, the subscription support available from Elastic's world-class engineers made all the difference.

"We know that they're there, and they've proven it time and time again," Nelly said. One manager assured Nelly that he made the right move. The cost was easily justifiable based on seeing analyst productivity improvements.

In production, USAA's Elastic Stack deployment has grown to seven clusters, grouped by feed type — feeds change often but include "almost all of the major security appliances," Unix and Windows server events, etc. — after they broke up their single, monolithic cluster (and upgraded to Elasticsearch 2.0) about two months before Elastic{ON}16. They send 24 feeds into Elasticsearch, with between 2 billion and 4 billion security events daily and an average of about 52,700 events per second. They have 53.11 billion documents in their store.

To watch the full USAA presentation, click the image above or just follow this link.

About moving to the multi-cluster setup, Nelly noted that they cut the time it takes to create a snapshot of their data from 20+ hours to 10 hours, with the snapshots executed in parallel. It's important for all companies to back up data, but keenly important for those in financial and military spaces like USAA. The great thing about Elasticsearch's snapshot API is that after the first backup process, subsequent snapshots save the delta change between the existing snapshots and new data. Transmitting far less data means snapshots takes less valuable time away from CTOC personnel.

Bottom line: USAA's old SIEM and old log management solution weren't giving them the same bang for the buck that the Elastic Stack does today. Elastic quickly became an integral part of USAA's cyber threat prevention process, and the speed and scale of Elastic helps these analysts ask questions (and find answers) that they couldn't ask before — and if this interests you, definitely watch the recording and hear all about Nelly's eight steps for hunting success.

And if you want to check out more Elastic{ON} security analytics presentations, we suggest Tapping Out Security with FireEye, Hunting the Hackers by Cisco's Talos, Tinder: Keeping Your Data From Getting Swiped Right Away from last year's Elastic{ON} Tour — Los Angeles, and Cyber Security Log Analytics with Decision Lab at Elastic{ON} Tour — Washington, D.C.

Nelly is also active in the San Antonio DevOps Meetup. If you are in the San Antonio, Texas, area on April 25, 2016, attend to learn about the USAA use case and more.