Using Tines to deliver a faster and more efficient security alert response service.

About Auth0

Auth0 is the first identity management platform for application builders, and the only identity solution needed for custom-built applications. With a mission to secure the world’s identities so innovators can innovate, Auth0 provides the simplicity, extensibility, and expertise to scale and protect identities in any application, for any audience. Auth0 secures more than 100 million logins each day, giving enterprises the confidence to deliver trusted and elegant digital experiences to their customers around the world.

What’s the challenge?

Auth0 needs software to support its rapid growth. The Detection & Response team handles security alerts across the whole organization, both internally and across the customer base. As the workload has increased, automation has become increasingly necessary to help the team offer speedy resolutions to the issues it handles.

Why Tines?

Auth0 previously used a different automation platform, but it couldn’t scale at the rate they required and also presented usability challenges. To put Tines to the test, Auth0 built tools on both platforms to automatically handle reports of phishing attempts.

“Tines is much easier and faster to integrate with external APIs,” says Brandon Maxwell, who leads the Detection & Response team at Auth0. “The other platform didn’t offer a lot of flexibility, especially if there wasn’t a pre-built plugin for the API we wanted to use. Tines lets us query APIs directly, saving a lot of development time, and allowing us to be much more flexible.”

As Auth0’s product evolves, the automation needed to support it evolves too, and Tines’ interface is simple and flexible enough to handle additional services and API endpoints as required.

“Other platforms have a lot of unnecessary complexity, but Tines is flexible, lightweight, and easy to use,” adds Maxwell.

Auth0’s Brandon Maxwell explains how the company makes use of Tines to deliver a faster and more efficient security alert response service:

Tines automates all the time-consuming processes that our team members would otherwise have to do themselves. This means simple cases can be handled automatically, giving the team more time to devote to more complex issues.

We use Tines to handle alert ingestion, enrichment, and notification; we’re using it to interact with our co-workers to verify activity for alerts, and we use it internally to automate quick actions like looking up information about domains.

Setting up Tines for alert automation was simple. Once we were familiar with the unique story-building workflow, we could create guides to allow any analyst on the team to automate additional processes as required in the future.
We automate all our alerts with Tines, saving us around 15 minutes for each alert that requires an analyst’s review. That works out to approximately 15 hours per week in time-savings for the team, with additional time-savings from Tines support in helping us reduce false positives. 

Meanwhile, building on the pioneering work of Slack and Dropbox, we have developed our own security bots system powered by Tines.

Any alerts that need the user’s input will make use of a security bot. The alert is fed into our ticketing system, and the security bot will then collect additional information from the user as required, asking questions like ‘did you perform this action,’ or ‘did you log in from this location?’ If the user clicks ‘yes,’ then false positives are quickly weeded out. If they click ‘no,’ then the alert is escalated to an investigation faster than it could otherwise be. The automated, seamless integration with our ticketing system is possible because of Tines.

Additionally, we communicate primarily on Slack company-wide  and Tines allows us to integrate many common investigatory functions directly into our communication there. For example, we can look up information about an IP address or domain, such as whether it has shown up in our logs before or whether it is associated with a customer’s environment or employee. Instead of having to open three tabs in a web browser and engage with multiple tools, we can do it all with one command in Slack.

All the time we save thanks to Tines gives us additional capacity to devote to complex tasks, and also gives us time to set up additional automation in Tines, optimizing our workflow even further.