How Airties migrated from ArcSight to Elastic and cut investigation times from hours to seconds

In a rapidly evolving digital landscape, organizations must continuously adapt their security operations to keep pace with new threats and business needs. For the team at Airties, a global leader in Wi-Fi mesh technology and access point solutions, this meant rethinking their legacy security information and event management (SIEM) platform.

Airties is a manufacturer of access points, primarily serving large telecom operators. Its solutions power the Wi-Fi networks in millions of homes worldwide. With a footprint of nearly 50 million devices, Airties collects vast amounts of data to provide analytics and insights to its telco partners, helping them monitor network health, detect interference, and troubleshoot issues down to an end-user level.

While Airties started as a hardware company, it is now transitioning to a software-first model. Its patented Wi-Fi mesh technology is available for licensing, allowing any hardware vendor to integrate Airties’ software into their devices. This shift has expanded Airties’ reach and increased the volume and complexity of the data it manages.

The challenge: Outgrowing ArcSight, its legacy SIEM provider

The Airties security team — led by Tolga Fıçıcı, the IT security senior manager, and Kemal Araci, lead security engineer — found themselves increasingly constrained by their legacy ArcSight SIEM. The team reported challenges including:

• Outdated technology: ArcSight’s interface and capabilities had not evolved suitably for the needs of Airties, making it difficult to keep up with modern security requirements.
• Integration limitations: Integrating new data sources or cloud platforms was a difficult, painful, and often manual process with limited support for modern environments.
• Complexity and usability: The platform required navigating multiple disjointed UIs for different tasks like search, integration, and rule creation, leading to inefficiency and frustration.
• Performance bottlenecks: Even with moderate data volumes (around 60GB per day), searches were slow and unreliable, hampering investigations and response times.
• High cost and low ROI: Despite rising subscription and management costs, the value delivered by ArcSight was diminishing with little to show for the investment.
• Reliance on third parties: Much of the administration of the Arcsight solution was outsourced, resulting in slower response times and variations in support.

Fıçıcı recognized the need for change saying that “unfortunately, ArcSight could no longer meet our requirements. It wasn’t covering the things we needed to see in security, and integrating new rules or correlations was becoming more and more challenging.”

The search for a modern SIEM

Recognizing the need for change, Airties evaluated several alternatives to ArcSight. However, Elastic quickly stood out for several reasons, including:

• Rich integrations: Elastic offered a wide array of out-of-the-box integrations, making it easy to connect to cloud platforms and other systems with just a few clicks.
• User-friendly UI: The unified interface allowed the team to visualize data in real time and manage rules without deep technical expertise.
• Built-in correlation rules: Elastic came with a robust set of prebuilt detection rules, reducing the need to build everything from scratch.
• Scalability and performance: Elastic’s architecture enabled fast searches and analytics even as data volumes grew.
• Cost-effectiveness: The total cost of ownership was more attractive, especially as Airties doubled its log sources after migrating.

Fıçıcı recognized immediately through a proof of concept that Elastic offered more ready-made integrations. “With Elastic, there were already connectors — you could integrate many things with a couple of clicks,” he says. He also highlights that API integrations are seamlessly handled: “You do not need to spend manual effort fetching logs from API endpoints. The integration handles it.”

Elastic offers over 300 ready-made integrations, including automated API-based data ingestion. Users don’t need to manually fetch logs from API endpoints — Elastic’s integrations handle collection and parsing automatically. Tools like Elastic Agent, Filebeat, and Logstash can be easily configured to pull data from APIs and other sources, streamlining the process and reducing operational effort.

Implementation and impact

Seamless migration and integration

Airties’ IT and security teams, though small, managed the migration internally. Elastic’s ease of use meant that even with limited resources, they could deploy, integrate, and manage the platform effectively.

ArchitectureFrom an architecture perspective, the on-premises Elastic cluster was set up with three nodes and Kibana, using data tiering, including frozen tiers that further reduced costs, for efficient storage management. This allowed the team to expand from collecting only audit and security logs to integrating data from all infrastructure and cloud systems, effectively doubling their visibility. Elastic provided immediate feedback on data ingestion and health with ready-made, out-of-the-box dashboards for monitoring. Additionally, the Fleet Server enabled centralized management of all Elastic Agents, making it easy to schedule updates and track agent status without manual intervention which streamlines operations and simplifies progress tracking.

Operational benefits

Secure Computing, an Elastic partner, works closely with organizations like Airties to introduce advanced security solutions from Elastic. As trusted advisors, Secure Computing supports clients in strengthening their security operations and optimizing their technology stack.

Since implementing Elastic Security at Airties, search performance has improved dramatically. Investigations that previously took hours now take just seconds, enabling teams to respond to threats much faster and eliminating the need for manual log checks. As a result, Airties is no longer dependent on third-party support for day-to-day operations, significantly reducing administrative overhead. This shift has given the team greater control over their security environment and empowered them to operate more efficiently.

With Elastic’s built-in correlation rules and machine learning capabilities, we’ve significantly enhanced our threat detection without the need for extensive custom development. The platform’s scalability has been a game changer — Elastic easily handled our increased data volumes as we expanded and migrated to the cloud, all without any performance degradation.

Kemal Araci, Security Engineer, Airties

Araci also added that “we doubled our log resources because it’s easier to integrate. Now, we have visibility in all of our infrastructure and cloud systems."

Looking ahead: Cloud, SOAR, and managed services

Airties is now planning to move its Elastic deployment to the cloud, aiming to further reduce infrastructure overhead and take advantage of managed services. It is also exploring security orchestration, automation, and response (SOAR) capabilities, especially following Elastic’s recent acquisition of Keep, which promises to bring advanced automation and response features to the platform.

Fıçıcı says, “We want to outsource almost every solution we are currently managing. We will move from on-prem to cloud and from services to managed services.”

Improve your outcomes with Elastic Security

Airties’ move from ArcSight to Elastic reflects its need for a more adaptable and integrated approach to security analytics. By adopting Elastic, Airties addressed the challenges it faced with its previous SIEM and created a foundation that supports both its current requirements and future plans for growth.

If your organization is facing similar challenges with legacy security tools, Airties’ experience shows that a modern platform like Elastic can deliver real, measurable improvements in efficiency, visibility, and security outcomes.

Interested in learning more about Elastic Security and how it can transform your operations? Contact us or explore our integrations to get started.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use.

Elastic, Elasticsearch, and associated marks are trademarks, logos, or registered trademarks of elasticsearch B.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.