“Gigamon ThreatINSIGHT exceeded our requirements of providing robust visibility to activity on our network, delivering high-fidelity detections, and removing distractions from our team,” Michael Frances, manager cyber security advanced threat and response for Wyndham Hotels & Resorts, has revealed.
He was referring to the global situation, but Wyndham has scores of hotels and resorts in Australia and New Zealand. Most are Ramada while others are branded La Quinta, Microtel, Trademark and Wyndham (both pure Wyndham and Club Wyndham).
The organisation’s security challenges included having distributed properties and workers; safeguarding point-of-sale systems, corporate information and personal identity information (PII) from cyber-attacks; lack of complete visibility across all devices on their core and cloud; and security tools requiring extensive training.
The solution lay in implementing Gigamon threatINSIGHT™ and GigaVUE-FM with AWS. These tools delivered customer benefits including foundational visibility: combining with Wyndham’s EDR to close the SOC visibility gap; minimal distractions have allowed Wyndham’s SOC/IR teams to focus on threat management, rather than tool maintenance; and powerful threat hunting with Applied Threat Research (ATR).
Based in the United States, Wyndham Hotels & Resorts, Inc is one of the world’s largest hotel chains. Its portfolio consists of 20 hotel brands with over 9,000 locations. Wyndham Hotels & Resorts makes travel possible for all. From big cities and small towns to beachfront resorts and highway hotels, 22 iconic brands bring a diverse perspective to the travel experience.
Business Challenge
For a large global hotel chain with distributed properties and workers, safeguarding Wyndham’s point-of-sale systems, reservations, corporate information and personal identity information (PII) from data breaches, ransomware, and other cyber-attacks is critical.
While Wyndham’s strong endpoint detection and response (EDR) solution provides visibility into threat actor behaviours on protected endpoints, gaps remained on devices they couldn’t deploy the EDR agent (unsupported devices or unmanaged IoT devices).
To close the SOC visibility gap, Wyndham knew they needed to expand their visibility across all devices on their core and cloud network by adding a Network Detection and Response (NDR) solution. Wyndham also had another initiative to significantly reduce distractions to their SOC and IR teams, allowing them to focus on adversaries rather than dealing with security tools that require extensive baseline training, false positive tuning, or on-premises care and maintenance.
Resolution
With a strong frontline (e.g., NGFW, AV, SASE, etc.) security-stack, EDR and SIEM in place, Wyndham turned to Gigamon ThreatINSIGHT Guided-SaaS NDR and GigaVUE Cloud Suite for AWS to provide full L2-L7 network visibility to every device on their core and cloud networks. While examining multiple leading NDR vendors, Wyndham chose ThreatINSIGHT based on the offering’s ability to deliver multiple benefits.
These included: cloud-native architecture, comprehensive network visibility, extending security and compliance to AWS deployments; having wide-ranging detection techniques; advanced threat hunting capabilities; robust triage and investigation tools.
Guided-SaaS with expert support has delivered fast, simple deployment, zero maintenance, ongoing product enablement as well as threat and response guidance.
Wyndham has received multiple benefits. By closing the SOC visibility gap, the organisation has created a robust deep observability foundation to protect their distributed network of properties and workers.
Benefits include: foundational visibility, combining with Wyndham’s EDR to close the SOC visibility gap; minimal distractions by aiding Wyndham’s SOC/IR teams to focus on threat management, rather than tool maintenance; and advanced detections which identifying threats by blending threat intelligence, behaviour analysis, and machine learning.
Additional benefits include: Powerful threat hunting:, which enables Wyndham’s hunters with observations and retained historical network metadata; guided triage and investigations which assist Wyndham’s SOC analysts with published guided-next steps; and a unique guided-SaaS solution which provides Wyndham with experienced advice when it matters most.
Drilling down to sector use cases shows multiple benefits:
Management & Maintenance
Technical Capabilities: ThreatINSIGHT provides a cloud-native architecture and SaaS deployment model provide quick and easy deployments; while customers benefit from Wyndham’s visibility to network activity of any device on their network within minutes. With near-zero ongoing care and feeding, Wyndham SOC/IR teams can focus on adversaries, not tool management.
Visibility
GigaVUE Cloud Suite for AWS and ThreatINSIGHT provides East-West, North-South and container traffic as well as L2-L7 near-pcap level visibility in the form of recorded rich network metadata.
Customers benefit as Wyndham’s SOC and IR teams can triage, hunt, and investigate active threats and have the context to understand the adversary’s behaviours.
Adversary Detection
ThreatINSIGHT delivers a combination of proprietary threat intelligence, behavioural analysis, and both supervised and unsupervised machine learning techniques to identify and classify attacker behaviour.
Customers benefit as a wide range of detection techniques provides higher fidelity findings and reduces Wyndham’s Mean-Time-To-Detect (MTTD).
Baseline Training and Tuning
The ThreatINSIGHT detection techniques run in the cloud where Gigamon’s ATR team performs continuous QA and detection tuning on all detection techniques to ensure high quality findings. Customers benefit as Wyndham doesn’t have distractions posed by other NDRs that require extensive baseline training for a month or ongoing routine false-positive tune-ups.
Threat Hunting
ThreatINSIGHT delivers ATR-derived ‘observations’ (hunting starting points), advanced query capabilities, and enriched metadata that includes detailed information about the entity and event context.
Customers benefit as Wyndham now has a single platform with all the network context to hunt for the presence of adversaries.
Triage and Investigation
ThreatINSIGHT offers ‘Guided Next-Steps’ that provide threat specific advice on how to both triage a threat and best practices to perform an investigation. Wyndham now has a single platform and tools to query and examine retained network metadata to quickly validate findings and begin the response process.
Deployment & Support
The ThreatINSIGHT Guided-SaaS delivery model includes field-tested Gigamon security analysts or incident responders (TSMs) to assist with deployment, enablement, health checks, and incident advisory guidance.
Customers benefit in that when facing a potential incident, Wyndham’s SOC/IR team can receive threat actor technics, tactics and procedures and best practice guidance on how best to investigate and respond from Gigamon TSMs.
Deep observability
While being a Gigamon GigaVUE next generation network packet broker customer is not a requirement to achieve the value ThreatINSIGHT provides, it ensures that organisations are providing the right network traffic to their NDR.
For Wyndham, their confidence in Gigamon’s network visibility expertise bolstered their assessment that ThreatINSIGHT was the best NDR for them. Wyndham knew they could easily manage the traffic being observed by ThreatINSIGHT, decrypt any encrypted traffic for inspection, and de-duplicate any traffic to ensure optimised ThreatINSIGHT performance.