- Lemonade's security team faced limitations with its prior cloud SIEM partner's 7-30 day log retention and expensive rehydration fees.
- Scanner enabled cost-effective retention of logs for 12+ months while maintaining quick access to historical data.
- The security team now uses Scanner daily for both security and operational tasks.
- The team gained the ability to rapidly check for exposure to threats, even when threat activity occurred several months ago.
- The platform can process needle-in-haystack queries across 10TB of uncompressed log data per second.
- Schemaless architecture eliminated complex data transformation needs and simplified integration of new log sources.
- Lemonade keeps full data custody in their own S3 buckets, avoiding vendor lock-in.
- The team is using Scanner to build custom detection infrastructure, allowing them to expand beyond the third-party detection systems they currently use.
Lemonade (NYSE: LMND), a technology-first insurance company, faced challenges with their existing log management and security monitoring solutions. After evaluating multiple options, they implemented Scanner, which led to improved security operations, cost savings, and enhanced investigative capabilities.
This case study explores their journey from legacy solutions to a more efficient, cost-effective security infrastructure.
Prior to implementing Scanner, Lemonade struggled with the limitations and high costs of their existing cloud SIEM solution. The platform's log retention was restricted to just 7-30 days depending on the index, with expensive rehydration fees making longer-term data access financially impractical. Performance issues also hampered their operations, with slow query responses affecting their ability to conduct timely investigations.
When evaluating alternative solutions, they found that many options required complex schema management, demanding constant tweaking as new log sets were introduced. The need to match field definitions across different log types created additional overhead. Building an in-house data lake was considered but ultimately proved too resource-intensive and expensive.
After careful evaluation of multiple alternative SIEM and security data lake tools, Lemonade chose to implement Scanner. The decision was driven by Scanner's ability to provide a fast, cost-effective security data lake without the complexity and overhead of traditional solutions.
Scanner's approach to data lakes is fundamentally different from traditional data lake tools. While conventional solutions force users to conform every log source to a rigid SQL table schema, Scanner's data engine is schemaless. For Lemonade, this flexibility eliminated the need for complex schema management and data transformation, making it easy to integrate new log sources and enable dynamic search capabilities across all data types and sources.
Scanner's unique architecture centers on a specialized inverted index designed specifically for S3, enabling exceptional search performance at scale. The system can process needle-in-haystack queries—such as searching for specific IP addresses, domains, or other indicators of compromise—at speeds of up to 10TB of uncompressed log data per second.
This performance scales to petabytes of data, allowing Lemonade's security team to search months of historical logs in seconds rather than hours. Whether they're hunting for a specific threat indicator across their entire dataset or performing complex threat investigations, queries return results fast enough to maintain investigative momentum.
Scanner has transformed Lemonade's approach to log management by making long-term data retention financially viable. Unlike their previous solution which charged prohibitive fees for accessing historical data, Scanner enables them to retain logs for over a year while maintaining quick access to all historical data.
This has eliminated the need for expensive rehydration fees and provided more predictable cost structures. With Scanner's architecture, Lemonade keeps full data custody in their own S3 buckets, helping them to avoid vendor lock-in.
The Lemonade team now uses Scanner daily for both security and operational tasks, leveraging its fast search capabilities to conduct investigations quickly. During security incidents, such as vendor breach notifications, the team can rapidly validate potential threats by checking indicators of compromise against their historical data.
They're also in the process of building a custom detection and response engine that integrates with Scanner, giving them more control over their security infrastructure.
Due to its search speed, Scanner enables Lemonade's security team to develop deep familiarity with their security data. The platform makes it easier to perform sophisticated investigations and build custom detection rules. Rather than relying on third-party detections, the team can now craft and maintain their own detection libraries based on their unique understanding of their environment.
This hands-on approach helps team members develop intimate knowledge of their systems and data, making them more effective at identifying and troubleshooting complex security issues.
Scanner transformed how Lemonade uses their historical log data. While compliance was one key driver for maintaining 12+ months of logs, teams also wanted to leverage this historical data for security insights.
However, the difficulty of rehydrating archived logs into analysis tools meant this valuable data often went unused. With Scanner, Lemonade can now quickly search and analyze over 12 months of logs, making it practical to extract insights that were previously out of reach.
By enabling rapid historical analysis alongside retention requirements, Scanner helps Lemonade realize substantially more value from their archived logs beyond just compliance.
The integration of Scanner into Lemonade's existing infrastructure has been straightforward, with flexible options for log ingestion including Cribl, log forwarding, and Beacon.
The team is currently developing a custom automation engine that integrates with Scanner, demonstrating the platform's adaptability to custom solutions and workflows. Scanner's schemaless search makes Lemonade's security data lake easy to operate.
Lemonade's security team is actively working on several initiatives to leverage Scanner's capabilities further. They are building a comprehensive Scanner detection library with GitHub CI/CD, developing their custom automation engine with Scanner integration, and expanding beyond third-party detection systems in favor of custom, tailored solutions.
These developments reflect their commitment to building a more sophisticated, engineering-focused security operation.
Scanner allows us to own investigations and be a go-to resource for other teams in the company. The logging and searching is so fast, our team uses Scanner on a daily basis, not just for security tasks but for other purposes.
In an environment where more security people are becoming less sophisticated in terms of technology, I intentionally want my team to be more engineering-focused, and Scanner is another tool that encourages them to act more like engineers and less like click-ops analysts.
The implementation of Scanner has transformed Lemonade's security operations. The team now conducts faster, more comprehensive investigations while maintaining longer data retention periods cost-effectively. The team can rapidly answer questions about threat exposure, no matter whether the threat activity happened a few hours ago or several months ago.
This has enabled them to build more sophisticated, engineering-focused security operations and develop custom solutions tailored to their specific needs.
Additionally, the platform's capabilities have positioned the security team as a valuable resource for other departments, providing quick access to critical data across the organization.