How Texas Mutual Unified Endpoint, Identity, Cloud, and Next-Gen SIEM on the CrowdStrike Falcon Platform

Texas Mutual Insurance Company is a worker's compensation insurance provider headquartered in Austin, TX. It operates only in Texas, where it’s the largest provider of workers’ compensation insurance with more than 75,000 customers and 42% of the market. Cybersecurity is core to Texas Mutual’s mission, which is to provide competitive premiums while protecting their customers’ employees, controlling costs and boosting their bottom line.

Consolidation and integration are essential to Texas Mutual’s “digital transformation modernization” strategy that involves moving most of its operations to the cloud, eliminating on-premise solutions and transitioning to SaaS or cloud-based solutions. CrowdStrike has been a vital partner in this nearly completed five-year transition which has seen at least 90% of its security functions moved to the cloud.

John Sapp, Texas Mutual’s Chief Information Security Officer, believes cybersecurity should be communicated and managed across the C-suite, IT management and operational technical teams so as to best address the full scope of business risks. To support this holistic approach, Sapp has centered the company’s security product strategy around the CrowdStrike Falcon® cybersecurity platform. 

Sapp noted that It wasn’t just the next-level capabilities of CrowdStrike’s technology that compelled him to adopt the Falcon platform for Texas Mutual’s security goals. The value of CrowdStrike’s partnership was also immensely appealing. “I needed someone who was going to be there with me every step of the way,” Sapp said. 

In the time since it adopted the Falcon platform in 2022, Texas Mutual has added multiple CrowdStrike modules on its platform maturation journey. CrowdStrike Falcon® Complete Next-Gen MDR was initially added, followed by the more recent additions of Falcon Cloud Security and CrowdStrike Falcon® Next-Gen SIEM  to address Texas Mutual’s evolving needs and strengthen protection in the key areas of cloud, identity and data security.

The migration of Texas Mutual’s machines to the Falcon platform was seamless, Sapp observed, as it required fewer processes compared to previous security platforms. The benefits have so far been substantial: with CrowdStrike Falcon® Insight XDR, Texas Mutual has seen significant time savings in its ability to detect and respond to suspicious activity: The mean time to detect irregular activity is less than 15 minutes and response time is 18 minutes, meaning it takes only three minutes on average to determine what action needs to be taken after detection.

Texas Mutual has also seen time savings with the Falcon platform’s ability to quickly add new protections. Sapp said that while it might take six to nine months to procure and install products from other vendors, as existing CrowdStrike customers it takes only a couple of weeks to add new protections.

An additional benefit of the Falcon platform is that it supports Texas Mutual’s strategic approach to cybersecurity with its single agent, flexible modular design and 24/7 threat monitoring from the Falcon Complete team. As an organization always looking for the next products to enhance its security posture, Texas Mutual knows it has a partner in CrowdStrike that shares its passion for innovation.

Texas Mutual deployed CrowdStrike Falcon Next-Gen SIEM for its ability to integrate data with built-in workflow automation and leading threat intelligence. The company has a large number of log sources and often adds more. When a new SaaS application is added, its log data flows into its security information and event management (SIEM) system. “We are continuously looking for the needle in the haystack,” Sapp says. Falcon Next-Gen SIEM helps Sapp and his team surface and address alerts with greater efficiency.

“We can be more efficient, so we can process more in less time, but we can also be more effective and not miss things since we’re not subject to human error,” Sapp said. “It’s about having a capability that allows you to detect, respond and recover” 

Texas Mutual’s Senior Solution Architect Rick Robles was impressed by the querying time with Falcon Next-Gen SIEM. “You could search for pretty much anything and it comes back pretty much instantly,” he said. “It is so seamless to pull in data through their connectors, whether it's partner connectors, which is very simple, to even bringing in parsers.”

Texas Mutual opted for 12 months of data retention with Next-Gen SIEM. As a result, the company isn’t worrying about storage costs affecting its budget. It spends an estimated 50% less with CrowdStrike Falcon Next-Gen SIEM compared to its previous provider. Overall, they have reduced their security budget from $7.5 million annually when Sapp started at Texas Mutual in 2021 to $5 million currently, despite adding more modules and features.

Learn how to modernize your SOC: Get the Complete Guide to Next-Gen SIEM

Texas Mutual chose Falcon Cloud Security to protect its rapidly expanding cloud environment due to the single-agent nature of the Falcon platform. “Every time you introduce a new agent into your environment, you’re adding complexity,” Sapp said. “The Falcon platform being a single agent, and having all the data come into a single agent and extending that to the cloud allowed us to have visibility immediately.” 

The company’s cloud security strategy divides cloud protection into cloud security posture management (CSPM) and cloud workload protection (CWP). For Gabriel Marquez, Security Analyst and Engineer at Texas Mutual, a key benefit is having CSPM and integrating with AWS to give cloud teams a single view of information. Falcon Cloud Security’s CSPM capabilities provide the information and remediation guidance needed to address vulnerabilities, he said, and its shift-left integration and infrastructure code scanning are game-changers compared to other vendors.

Because Texas Mutual has a hybrid environment, protecting cloud resources is more of a challenge. CrowdStrike offers multiple components to address these challenges, all from a single platform. “Because we can secure workloads before they get promoted to production, the business doesn't have to fear remediation after the fact,” said Robles. “We're providing them a secure platform so they can develop and install what they need to.”

CrowdStrike Falcon Adversary Intelligence Recon plays a pivotal role in increasing visibility for Texas Mutual. It continuously monitors the Dark Web for potential threats targeting the organization, enhances threat monitoring and detection and provides Sapp with peace of mind. “Visibility is critical to protecting your environment, especially when it comes to understanding and managing the external attack surface,” he explained. 

For Robles, the decision to implement Falcon Recon was driven by growing concerns about the risks to customer identities, caused by issues such as outdated passwords and infrequently used accounts. 

“There are a lot of inactive accounts that people only use occasionally, like once a year to pay a policy,” Robles explained. Even more concerning, some of these accounts belonged to high-visibility individuals, such as board members, which made them prime targets for attackers.

By combining Recon with Falcon Identity Protection, Robles has been able to directly address these risks. Recon identifies compromised credentials from external sources and integrates this intelligence with ITDR, which allows the organization to act quickly by resetting affected passwords and securing at-risk accounts. This seamless integration ensures both external threats and internal vulnerabilities are mitigated effectively.

When Robles started researching which cybersecurity products could be integrated with the Falcon platform, he noticed many integrations were native — which is a big plus. Now, he seeks out technology that integrates with the platform.

“My number one question to anyone is, do you integrate with CrowdStrike?” Robles said of speaking with other vendors. “And if they do not, then goodbye. Because that is our number one platform.”

He and his colleagues appreciate the open integrations the Falcon platform has with other companies, as well as its innovation capabilities: “I've just been here about a year and a half and it's a totally different platform now than back then,” he added. “It's way more mature and I’m excited to see what happens next.”