How California’s EDD Cut Security Response Time by 99% with Elastic Security

California’s Employment Development Department runs the benefit programs that residents turn to during unemployment, illness, and family leave. The Department handles billions of data points across high-availability state systems, making it a significant target for fraud and cyber threats. Its 60-person security team, led by Chief Information Security Officer Douglas Leone, must simultaneously ensure that legitimate applicants can access support without friction while preventing bad actors from exploiting the same systems.

Before deploying Elastic Security, the Department lacked unified visibility across its complex, multi-program IT environment. Security investigations required analysts to jump between disconnected systems, slowing down threat detection and response. With 14,000 endpoints, 10,000 employees, and over 80,000 alerts arriving per month, the security team struggled to distinguish genuine threats from noise efficiently — a problem that had real consequences for the millions of Californians depending on uninterrupted access to critical services.

EDD deployed Elastic Security on Elastic Cloud and AWS as the backbone of its SIEM operation, integrating it across nearly 3,000 servers spanning all programs and lines of business. Elastic collects and normalizes system and transactional data from across the environment into a single location, giving analysts a unified view of activity, traffic, and alerts through advanced dashboards that each line of business can customize. AI-powered features including Attack Discovery automatically prioritize cybersecurity alerts by detecting unknown threats and surfacing the most critical ones, allowing the team to focus attention where it matters most rather than triaging manually.

The impact on the security team’s effectiveness was immediate and significant. Mean time to response dropped by 99% as AI-assisted alert prioritization eliminated the need to comb through noise manually. Elastic’s speed in searching across 850 billion records — including six months of log history — gave investigators the reach they needed without performance degradation. Teams across EDD began requesting customized Elastic dashboards of their own, reflecting how deeply the platform embedded itself into operations beyond the core security function.

EDD is continuing to expand its Elastic footprint, with plans to add application performance monitoring to extend the same observability to its business applications. Elastic Consulting has been instrumental in onboarding new staff, training ML and AI models, and developing deep-freeze storage strategies to meet strict data retention requirements. Leone describes the relationship as central to the Department’s path toward self-reliance: a public agency protecting its most vulnerable residents by making AI-driven security a permanent operational capability.