A Hyperscaler for Cybersecurity

Hyperscalers like AWS and GCP have transformed IT and general tech. Now it's time for the cybersecurity industry to catch up by shifting to specialized hyperscaler platforms built for security operations (SecOps) at scale.

Why the cybersecurity industry needs its own hyperscaler

IT hyperscalers evolved to meet the challenges of web-scale computing back in the early aughts. At the time, businesses and software developers were struggling to:

• Ensure high availability and performance

• Access infrastructure that could cope with increasingly intensive workloads and scale as needed

• Free themselves from the cost and headaches of purchasing and maintaining physical infrastructure

• Find a cost-effective way to accommodate fluctuating compute and data storage requirements (either due to business growth or temporary spikes)

The genius of AWS and other public cloud providers was to abstract the capabilities needed to meet those needs and offer them as cloud-native primitives. In the words of Jeff Bezos, the hyperscaler would take over the "undifferentiated heavy lifting" of IT infrastructure so companies could focus on their core value instead.

The approach was so successful that these problems are now considered more or less solved for IT. But in cybersecurity, we face a similar constellation of challenges with no corresponding solution. SecOps teams today need to:

• Develop customized yet scalable SecOps practices and workflows

• Deal with an ever-increasing sprawl of point solutions in the stack

• Manage the massive amounts of data flowing into the SOC from different telemetry sources

• Scale infrastructure spending up or down based on actual usage, instead of being stuck with tool vendors’ long-term contracts, complex licensing, capacity planning, and termination fees

• Reduce spending on high-cost security solutions such as SIEMs

• Spend less time on infrastructure maintenance and more time on what really differentiates them—namely, security operations!

LimaCharlie was founded on a simple premise: The best way to meet these challenges for our industry is with a dedicated hyperscaler platform for security operations.

The SecOps Cloud Platform: a hyperscaler for modern security operations at scale

The LimaCharlie SecOps Cloud Platform (SCP) does for security teams what AWS, Azure, and GCP do for IT. It gives them the core capabilities they need as primitives—available on-demand, pay-per-use, and accessible via open APIs.

The platform is built to enable SecOps at scale. Security configurations are defined and managed through infrastructure as code (IaC). Multi-tenancy and automation are foundational design principles. The SCP is hosted on GCP for security, compliance, and near-infinite scalability.

So, what does “scalable cybersecurity” look like in the abstract? Simply put, it refers to the sorts of well-understood technologies and capabilities that every SecOps team needs, delivered through a well-integrated, engineering-first platform:

• A multi-platform agent to collect telemetry from any endpoint source and perform response actions as needed.

• Simplified management of telemetry data and security tools through a unified data format and a single, easy-to-use UI.

• Automation in the most fundamental sense: "When X, do Y," for everything in the SCP. Bidirectional capabilities also allow teams to automate responses across third-party solutions.

• Real control over telemetry data. Teams ingest whatever they want. Send it wherever they want. Transform/prune/enrich data in flight as needed.

• A data lake that stores everything brought into the platform for one year at no cost beyond that of ingestion.

• The ability to integrate with other solutions through extensions, adapters, and add-ons.

To be clear, the SCP does not purport to be "the only solution teams will ever need" like some big vendors do when promoting their (rather dubious) vision of cybersecurity platformization.

No, our thesis is far more modest: Cybersecurity needs a hyperscaler to provide core security capabilities. The SCP is built for integration and integrability, and plays well with third-party solutions. But just as IT hyperscalers have become the backbone of IT groups, the SCP can serve as a security infrastructure backbone for SecOps teams.

Why MSSPs and MDRs will be the biggest winners

Every organization can benefit from moving security operations to a cybersecurity hyperscaler platform like the SCP. However, Managed Detection and Response (MDR) and Managed Security Services Provider (MSSP) businesses stand to gain the most from this approach.

To begin with, working with a dedicated infrastructure provider offers two immediate advantages to service providers. First, MSSPs and MDRs no longer have to rely on tool vendors that are also their competitors. It’s an open secret that many of the big security solutions vendors have or are launching their own managed security services offerings. Secondly, service providers can focus on their core value proposition and their differentiators instead of spending time on infrastructure maintenance.

Just as importantly, a hyperscaler is designed for scalability (by definition!). Unfortunately, the same can’t be said for many security tools on the market. These tools often require manual configuration, turning SecOps into tedious “click-ops.” It’s a productivity drain for enterprise security teams. But it’s a much bigger problem for MSSP and MDR teams, who have to operate at scale constantly and across multiple client organizations. The SCP is built for SecOps at scale in a way that delivers outsized benefits to service providers: multi-tenant by default, IaC controls and configuration management, and extensive automation to reduce manual workflows as much as possible.

Finally, a security hyperscaler lets MSSPs and MDRs leverage the benefits of the public cloud provider model in their businesses. Here are a few ways that service providers can use the SCP to save money, create value for clients, and compete more effectively:

Reduce SIEM costs without complex observability point tools: SIEMs are expensive—so much so that businesses often turn to unwieldy observability solutions to bring those costs under control. The SCP offers data observability natively*,* because we believe visualization and control over telemetry data is a fundamental capability all teams should have by default. The SCP can be used as a passthrough to manage and route telemetry data more cost-effectively, achieving most of the savings of an observability point solution at a fraction of the expense and complexity. In addition, the SCP’s bidirectional capabilities let teams turn their observability pipeline into a real-time detection and response solution as well.

Sleeper deployments for rapid IR: SCP agents can be pre-deployed to client endpoints in "sleeper mode," i.e., with data ingestion set to a bare minimum, for just pennies per month. In the event of an incident, these agents can be turned on at a moment's notice and used to take response actions on endpoints almost instantly. This has allowed our service provider users to offer their clients SLAs of as little as 20 minutes.

Take immediate action on threat intelligence: Through independent research and peer networks, cybersecurity practitioners often have access to threat intelligence before their tool vendors do. This can lead to a frustrating situation in which service providers know that there is a threat, but must wait for their vendor to a.) acknowledge it and b.) update their detection and response (D&R) rules accordingly. By leveraging the SCP's IaC controls, service providers can operationalize threat intelligence as soon as it becomes available. For example, if teams have an indicator of compromise that they want to detect, they can simply paste a new D&R rule into a master configuration file and push out the change to all of their clients at once.

Begin engagements more quickly: The SecOps Cloud Platform helps service providers begin engagements far more quickly. Everything in the SCP is available on demand, so there's no need to deal with a vendor sales representative or engage in protracted contract negotiations before getting started. Multi-tenancy and IaC mean that a service provider can spin up a new tenant in minutes, either by cloning an existing tenant or using a preconfigured template. This makes onboarding new clients significantly faster—and lets incident responders get to work immediately during time-sensitive IR engagements.

Bring new offerings to market faster: When a hyperscaler has already handled fundamental infrastructure challenges, service providers don't have to start from scratch—or attempt to reinvent the wheel—every time they want to develop a new product or service offering. To offer one example, cloud SIEM provider Blumira took their XDR from concept to general availability in just five months by using SCP infrastructure.

Learning more

To explore how a cybersecurity hyperscaler platform can help you modernize your security operations, book a demo today.