Blackpoint Cyber Taps ChaosSearch to Improve ThreatOps and Drive Growth

Blackpoint Cyber is the frontrunner in the managed detection and response (MDR) space, leveraging a proprietary ecosystem to help its partners fight back and win against cyberthreats. Founded in 2014, the company proudly continues to safeguard businesses around the world.

Blackpoint Cyber’s application control and exposure management, combined with a 24/7 threat operations (ThreatOps) center, stops even the most stealthy cloud-based threat actors in their tracks.

The ThreatOps team wanted to take advantage of advanced analytics to stay steps ahead of malicious actors — who often use legitimate IT tools to hide in plain sight. Find out how Blackpoint now uses Amazon Simple Storage Service (Amazon S3) cloud object storage with ChaosSearch to create a unified data model, mitigating both on-prem and cloud-based cyber attacks with an ultra-performant threat analytics platform.

The Challenge

Following the COVID-19 pandemic, cloud-based threat actors have become increasingly sophisticated. They use legitimate IT software to hide out on corporate networks, escalating privileges and remaining undetected until it’s too late. “While attackers used to write a virus to insert a piece of malware, we’re now seeing a big investment in threat actor tooling,” said Jon Murchinson, Chief Executive Officer at Blackpoint Cyber. “Modern attacks are far more difficult to detect, as threat actors can use this tooling to become domain admins, targeting authentication and authorization systems. Speed kills in this game, as legitimate software lets attackers hide in plain sight.”

A major competitive differentiator for Blackpoint Cyber is its ability to detect even the most stealthy unauthorized behavior by focusing on attackers’ lateral movement patterns. While endpoint detection and response (EDR) tools miss 50-70% of these attacks, Blackpoint is uniquely able to detect the malicious use of legitimate IT software. However, doing so required them to build a cybersecurity analytics engine that could sift through large amounts of log and event data at scale and at speed.

“Data is central to everything we do,” said Murchinson. “We’re pulling in feeds from our own agent technology, along with our customers’ agent technology. We needed to bring this data into a unified platform to run data analytics and reach our customers with accurate detections and alerts. If we don’t have an elite, cost-efficient data model that is structured correctly, none of this works.”

The Solution

Before finding ChaosSearch, BlackPoint Cyber used a hosted Elasticsearch deployment to analyze data in Amazon S3. The team quickly found their margins eroding, as the cost of ingesting and retaining data became too high to justify. The engineering team selected ChaosSearch when Murchinson challenged them to find a tool that could add 1-2 points of gross margin.

Working from the thesis that elite data design on ingest, storage, and processing could drive competitive advantage, the team tested ChaosSearch. Switching to ChaosSearch was easy. The ThreatOps team could use the OpenSearch API within ChaosSearch to analyze data in S3 in a familiar way. Within a week, a portion of the system was up and running in a production environment. They quickly saw the cost difference from their previous Elasticsearch cluster, while realizing the same performance benefits.

“Complexity is the enemy of any live operation,” said Murchinson. “The biggest difference from Elasticsearch is that ChaosSearch separates storage and compute, so we are able to spend less and search at the same performance. We ingest data into S3 and our analytics require little management or performance tuning. Scaling is fast and seamless. Best of all, data is stored on infrastructure we own, so we maintain command and control over it.”

Today, the team uses ChaosSearch as a part of its elite ThreatOps and threat detection offerings. They are able to retain logs for longer, which is critical for long-term threat hunting, data breach investigations, and compliance purposes. In addition, the engineering team relies on ChaosSearch for troubleshooting within their own systems.

The Impact

Today, the Blackpoint Cyber team has gained significant competitive advantage with an advanced, cost-efficient data model and lightning-fast response times. The team can write directly to S3, manipulate data easily, and leverage the Elastic Common Schema to structure data. With ChaosSearch, the team has saved 80% over hosted Elasticsearch costs.

“Once a threat actor has a privileged credential you have T-20 minutes to act,” said Murchinson. “Our responses for cloud are under 7 minutes from alert to action, and under 20 minutes for on-prem. Our elite data model delivered via ChaosSearch has helped us achieve these response times. Now we can test different go-to-market motions, adjust our pricing, and accelerate our platform roadmap.”

With ChaosSearch, the Blackpoint Cyber team has simplified complex data operations without incurring additional costs or sacrificing speed. Morale is high. Unifying the underlying data model has been a strategic play for the company, enabling them to take on entrenched competitors and further disrupt the cybersecurity industry with its state-of-the-art platform.

“ChaosSearch lets us retain more data, and drive higher revenue growth. The value prop is simplicity: Speed and results matter. We can use ChaosSearch to go to market more effectively, or invest in additional security technology to deliver more value to our customers,” said Murchinson. “It’s foundational technology for us. Anything I can save with, I’ll go to war with.”