How California’s EDD Cut Security Response Time by 99% with Elastic Security
California’s Employment Development Department, which administers unemployment, disability, and paid family leave programs for millions of residents, deployed Elastic Security on AWS to unify cybersecurity monitoring across 3,000 servers and 850 billion records. AI-driven threat detection reduced mean time to response by 99% while enabling a 60-person security team to manage over 80,000 alerts per month.
Impact
99%
Reduction in mean time to response
850 billion
Records secured in Elastic
3,000
Servers connected to Elastic
80,000+
Monthly alerts managed
Challenge
EDD’s 60-person security team managed over 80,000 monthly alerts across 14,000 endpoints and 850 billion records with no unified visibility — forcing analysts to jump between disconnected systems to investigate threats, slowing detection and leaving the benefit programs relied on by millions of Californians exposed to fraud and cyber risk.
Solution
EDD deployed Elastic Security on Elastic Cloud and AWS across 3,000 servers, unifying log ingestion and threat detection in a single SIEM with AI-driven Alert Discovery that automatically prioritizes critical threats and reduces mean time to response, supported by Elastic Consulting for model training and staff onboarding.
Tools & Technologies
What Leaders Say
“Moving to Elastic Cloud on AWS speeds up performance for the security team, eliminating downtime and providing faster search and analysis of data. EDD currently has over 850 billion records in Elastic, and even as data volumes grow, performance remains strong.”
“Often SIEMs can be seen as a black box, but Elastic provides more clarity by integrating into lines-of-business data. Elastic allows us to ingest vast amounts of data in a unique way and apply data science to make intelligent decisions about security.”
“Elastic elevated the value of a SIEM for us. Teams trust us for insights into cybersecurity detection and anomalous activity, helping us become a value add for lines of business.”
Sign up to read complete case studies, access detailed metrics, and unlock all use cases.
Full Story
California’s Employment Development Department runs the benefit programs that residents turn to during unemployment, illness, and family leave. The Department handles billions of data points across high-availability state systems, making it a significant target for fraud and cyber threats. Its 60-person security team, led by Chief Information Security Officer Douglas Leone, must simultaneously ensure that legitimate applicants can access support without friction while preventing bad actors from exploiting the same systems.
Before deploying Elastic Security, the Department lacked unified visibility across its complex, multi-program IT environment. Security investigations required analysts to jump between disconnected systems, slowing down threat detection and response. With 14,000 endpoints, 10,000 employees, and over 80,000 alerts arriving per month, the security team struggled to distinguish genuine threats from noise efficiently — a problem that had real consequences for the millions of Californians depending on uninterrupted access to critical services.
EDD deployed Elastic Security on Elastic Cloud and AWS as the backbone of its SIEM operation, integrating it across nearly 3,000 servers spanning all programs and lines of business. Elastic collects and normalizes system and transactional data from across the environment into a single location, giving analysts a unified view of activity, traffic, and alerts through advanced dashboards that each line of business can customize. AI-powered features including Attack Discovery automatically prioritize cybersecurity alerts by detecting unknown threats and surfacing the most critical ones, allowing the team to focus attention where it matters most rather than triaging manually.
The impact on the security team’s effectiveness was immediate and significant. Mean time to response dropped by 99% as AI-assisted alert prioritization eliminated the need to comb through noise manually. Elastic’s speed in searching across 850 billion records — including six months of log history — gave investigators the reach they needed without performance degradation. Teams across EDD began requesting customized Elastic dashboards of their own, reflecting how deeply the platform embedded itself into operations beyond the core security function.
EDD is continuing to expand its Elastic footprint, with plans to add application performance monitoring to extend the same observability to its business applications. Elastic Consulting has been instrumental in onboarding new staff, training ML and AI models, and developing deep-freeze storage strategies to meet strict data retention requirements. Leone describes the relationship as central to the Department’s path toward self-reliance: a public agency protecting its most vulnerable residents by making AI-driven security a permanent operational capability.