Circle K Cuts Threat Containment Time by 99%
Over a 5-year partnership with ReliaQuest, Circle K transformed its security operations, overcoming challenges such as fragmented IT and OT environments, frequent acquisitions, and scalability demands.
The ReliaQuest GreyMatter security operations platform played a central role in this transformation, delivering measurable results tailored to Circle K’s unique needs.
Better MITRE ATT&CK Coverage
Lower Alert Noise
Mean Time to Contain
Making Sense of Multiple IT and OT Environments for Unified Security Operations
Circle K’s global operations include more than 16,000 convenience stores, fuel terminals, and corporate offices across 25+ countries. Each segment presents unique security challenges: fuel terminals require operational technology (OT) protection, while retail systems face threats to point-of-sale (POS) and customer data.
Frequent acquisitions add to the challenge. Each newly acquired company brings its own legacy systems and technologies, and integrating these systems—or replacing them entirely—is both time-intensive and costly.
Over time, it all culminated in two significant problems for Circle K:
- Long containment times: Their security operations struggled to respond to threats efficiently, creating significant risk exposure across their IT and OT environments.
- Lagging legacy technologies: Their legacy SIEM couldn’t scale to meet growing data demands, and operational inefficiencies left their security team overwhelmed by noise.
Head of Global Cybersecurity Pat O’Keefe partnered with ReliaQuest and its GreyMatter security operations platform to solve these challenges.
The Path to 5-Minute Containment: Advanced AI and SOC Automation
Before partnering with ReliaQuest, Circle K was containing threats in about 24 hours, but O’Keefe knew that was not fast enough to thwart some attackers.
Since deploying GreyMatter’s automated detection and response workflows, Circle K has reduced false positives to less than 5% and accelerated containment times to just 5 minutes. Because the platform’s automation and agentic AI capabilities are taking care of tier 1 and tier 2 tasks, Circle K analysts are freed up to focus on proactive activities such as threat hunting and forensics.
Modern Security Operations Environment
Rapid Containment
Limitless Scalability
A Seamless Migration to a More Modern SIEM
At one point in the relationship, Circle K was grappling with its legacy SIEM. The platform couldn’t scale to meet Circle K’s growing data ingestion demands, especially following acquisitions, and visibility gaps left the organization vulnerable.
“We needed to ingest so much data from so many environments that we just couldn’t do it with our legacy tools,” O’Keefe explained.
GreyMatter’s flexible architecture allowed Circle K to execute a seamless migration to a more advanced SIEM platform. Using bi-directional APIs, GreyMatter enabled Circle K to maintain uninterrupted detection coverage during the transition. The platform’s “build once, deploy everywhere” model ensured that existing detections could be rapidly applied to the new environment, saving Circle K time and resources.
“As we began to migrate, we interacted with ReliaQuest very early on to ensure we maintained security over all of our use cases,” O’Keefe said. “On day one of being in our new environment, we had complete security parity with our old environment.”
The migration was completed with no disruption to business or security operations. By modernizing its SIEM and leveraging GreyMatter’s detection capabilities, Circle K gained immediate coverage across IT and OT environments while significantly improving scalability.
“Moving at the Speed of Business”
In the coming years, O’Keefe plans to lean on GreyMatter’s tech-neutral architecture to further Circle K’s broader security strategy, which ensures the team is well positioned to quickly and safely bring on new tools or acquired environments.
With GreyMatter, the team achieved:
- 148% better MITRE ATT&CK coverage, achieved through GreyMatter’s ability to unify fragmented systems and apply consistent detections across diverse business segments.
- 95% lower alert noise, freeing analysts to focus on high-priority tasks like threat hunting and forensics.
- 5-minute mean time to contain, down from 24 hours.
"GreyMatter allows us to move at the speed of business,” O’Keefe said. “When the business wants to make an acquisition or change a technology, we’re able to quickly integrate that into GreyMatter, develop playbooks, and build automations so we can respond to any potential threat.”
From cutting containment times to modernizing its SIEM, Circle K’s partnership with ReliaQuest exemplifies how GreyMatter enables organizations to scale security operations, adopt new technologies, and safeguard their global footprint against emerging threats. As Circle K continues to innovate and expand, GreyMatter remains a cornerstone of its cybersecurity strategy.
Cutting down our mean time to contain has meant a lot,” O’Keefe said. “The automation and AI built into GreyMatter is really what drove those numbers down, enabling us to detect and contain quickly to shut threat actors down.Pat O'Keefe Head of Global Cybersecurity
Explore Other Resources
Learn How GreyMatter Measures and Improves Your Security Operations
The GreyMatter security operations platform removes duplicates and delivers unified detection content and coverage for high-fidelity, enriched alerts. GreyMatter enables your team to boost its efficiency, reduce burnout, and better manage risk.
